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Abstract 


The  logical  framework  LF  is  a  type  theory  defined  by  Harper,  Honsell  and  Plotkin.  It  is  well- 
suited  to  serve  as  a  meta  language  to  represent  deductive  systems.  LF  and  its  logic  programming 
implementation  Elf  are  also  well-suited  to  represent  meta-theoretic  proofs  and  their  computa¬ 
tional  content,  but  search  for  such  proofs  lies  outside  the  framework.  This  thesis  proposes  a 
computational  meta  logic  (MLF)  for  the  Horn  fragment  of  LF.  The  Horn  fragment  is  a  signifi¬ 
cant  restriction  of  LF  but  it  is  powerful  enough  to  represent  non-trivial  problems.  This  thesis 
demonstrates  how  MLF  can  be  used  for  the  problern  of  compiler  verification.  It  also  discusses 
some  theoretical  properties  of  MLF. 
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Chapter  1 

Introduction 


The  logical  framework  LF  is  a  type  theory  defined  by  Harper,  Honsell  and  Plotkin  [HHP93].  It  is 
very  well-suited  to  serve  as  a  meta  language  to  represent  and  reason  over  deductive  systems.  LF 
has  been  implemented  as  the  logic  programming  language  Elf  by  Pfenning  [Pfe89,  Pfe92,  Pfe94a]. 
In  recent  years  LF  and  Elf  became  more  and  more  popular.  Significant  problems  have  been 
represented  in  LF  and  Elf,  for  example  the  Church- Rosser  theorem  [Pfe99]  and  a  structural  cut 
elimination  theorem  for  classical,  intuitionistic  and  linear  logic  [Pfe94c,  Pfe94b]i 

Elf  is  a  logic  programming  language  and  not  an  automated  theorem  proving  system.  Con¬ 
sequently,  it  serves  the  purpose  of  representing  meta  theoretical  results,  but  it  does  not  sup¬ 
port  their  derivation.  The  calculus  of  constructions  [CH88,  PM93]  and  Martin-L6f  type  theory 
[ML84,  ML84]  are  type  theories  different  from  LF.  Based  on  these  type  theories,  many  different 
proof  development  systems  have  been  implemented:  Coq  [C'^95],  LEGO  [LP92,  Pol94],  Nuprl 
[C+86],  Alf  [Mag93,  MN94,  Mag95],  and  others.  These  systems  are  not  designed  as  programming 
languages. 

The  aim  of  this  thesis  is  to  define  the  computational  meta  logic  MLF  for  a  fragment  of 
LF.  MLF  is  based  on  the  intuitionistic  sequent  calculus  with  induction.  Intuitionistic  logic 
is  nicely  presented  in  [Gal93].  MLF  is  decorated  with  proof  terms  which  can  be  interpreted 
as  programs.  In  this  sense  MLF  is  computational.  Differently  from  other  implementations  of 
automated  theorem  proving  systems  with  induction  like  Coq  [C‘''95],  PVS  [ORS92,  RSC95],  and 
others,  MLF  does  not  generate  induction  principles.  Induction  hypothesis  can  be  applied  to  any 
term,  the  well-foundedness  of  the  induction  must  be  proven  as  a  property  of  the  proof  term.  A 
case  distinction  rule  allows  the  elimination  of  LF  types. 

When  using  LF  as  a  meta  language  a  common  technique  for  representing  an  object  language 
is  higher  order  abstract  syntax.  It  allows  LF  variables  to  mimic  a  variable  concept  of  the  object 
language  [Pfe92].  Consequently,  constructs  in  the  object  language  depending  on  free  variables 
are  represented  as  functions  in  LF. 

MLF  is  a  meta  logic  for  the  Horn  fragment  of  LF.  This  restriction  disallows  MLF  to  prove 
the  existence  of  a  function  object  in  a  functional  LF  type.  Consequently,  higher  order  abstract 
syntax  cannot  be  used  in  the  object  language,  MLF  is  used  to  reason  about:  The  existence 
of  a  construct  with  free  variables  is  not  provable.  On  the  other  hand,  if  higher  order  abstract 
syntax  is  not  used,  MLF  is  still  powerful  enough  to  prove  interesting  results  —  as  it  is  shown 
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by  examples  in  this  thesis.  The  meta  logic  is  full  intuitionistic  logic,  the  restriction  of  the  Horn 
fragment  refers  only  to  the  underlying  type  theory. 

This  thesis  is  organized  as  follows:  In  chapter  2  we  introduce  a  toy  problem.  We  show  how 
this  toy  problem  can  be  represented  in  LF  and  the  calculus  of  inductive  constructions.  We  also 
show  an  implementation  of  it  in  Elf,  and  how  to  use  Coq’s  proof  engine  to  derive  some  meta 
theoretical  results.  In  chapter  3,  we  define  MLF  in  terms  of  its  language  and  its  inference  rules. 
Some  theoretical  properties  of  MLF  are  discussed  in  chapter  4.  In  Chapter  5  we  revisit  the 
example  from  chapter  2  and  describe  the  derivation  of  all  presented  meta  theoretical  results  in 
MLF. 


Chapter  2 


Motivation 


Type  theory  can  be  used  to  represent  diflScult  and  complex  theoretical  structures  in  a  uniform 
way.  LF  type  theory  is  very  well  suited  to  represent  deductive  systems,  other  type  theories  are 
more  expressive.  In  this  chapter  we  will  present  the  logical  framework  LF  and  the  the  calculus  of 
inductive  constructions  (CIC).  Both  type  theories  are  used  as  the  underlying  theories  for  several 
implementations.  Elf  is  a  logic  programming  language  based  on  LF  [Pfe89,  Pfe94a,  Pfe92]  and 
Coq  is  a  proof  assistant  based  on  CIC  [C"^95]. 

Type  theories  are  defined  as  a  set  of  type  inference  rules.  A  signature  defines  basic  constants 
and  their  types.  Signatures  represent  a  set  of  constructors,  from  which  more  complicated  terms 
can  be  built.  A  signature  in  LF  is  interpreted  as  a  logic  program  for  Elf.  Evaluation  of  a 
program  corresponds  to  type-checking.  A  signature  in  CIC  is  interpreted  as  a  collection  of 
objects,  lemmas  and  proofs  for  Coq. 

In  the  theory  of  programming  languages  one  area  of  research  is  to  define  adequate  no¬ 
tions  of  semantics  for  programming  languages.  The  goal  is  to  obtain  a  better  understanding 
of  programming  languages  and  their  problems.  Languages  can  be  compared  by  their  seman¬ 
tics.  Programming  languages  do  not  have  a  unique  semantics:  Denotational  semantics  identifies 
computation  with  a  denotation.  Operational  semantics  explains  computation  in  terms  of  an 
underlying  machine.  Natural  semantics  arises  from  rewriting  theory:  For  a  given  reduction 
ordering  the  meaning  of  a  program  is  its  canonical  form. 

The  remainder  of  this  chapter  is  organized  as  follows:  In  the  first  section  of  this  chapter  we 
introduce  a  toy  programming  language  and  define  its  natural  and  operational  semantics  following 
ideas  of  Hannan  and  Pfenning  [HP92].  Then  we  show  that  if  a  program  has  a  certain  semantical 
value  with  respect  to  the  natural  semantics,  it  has  the  same  semantical  value  with  respect  to 
the  operational  semantics.  The  reverse  direction  can  also  be  shown  —  the  reader  may  consult 
[HP92,  Pfe92].  We  will  call  this  theorem  equivalence  theorem.  The  toy  language,  both  semantic 
notions  and  the  proof  of  the  equivalence  theorem  can  be  represented  in  LF  and  implemented 
in  Elf,  as  we  show  in  in  section  2.2.  Similarly  it  is  possible  to  represent  and  implement  the 
toy  language  and  both  semantical  notions  in  CIC.  Unlike  the  representation  of  the  proof  of  the 
equivalence  theorem  in  LF,  Coq  supports  the  search  for  the  proof.  This  is  described  in  section 
2.3.  Finally,  in  the  last  section  of  this  chapter,  we  summarize  our  experiences  with  Elf  and  Coq. 
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2.1  An  Example 

We  define  now  the  toy  programming  language  T.  The  language  is  essentially  the  simply  typed 
A-calculus  containing  two  constructs:  A-abstraction  and  application.  Variables  are  represented 
by  de  Bruijn  indices.  In  the  first  subsection  we  introduce  language  T.  In  the  second  subsection 
we  define  an  evaluation  judgement,  which  defines  the  natural  semantics  of  T.  In  the  third 
subsection  we  introduce  a  simulating  machine  with  which  we  define  the  operational  semantics. 
In  the  last  subsection  we  state  the  equivalence  theorem  and  prove  one  direction. 


2.1.1  A  Toy  Language 

The  language  T  is  based  on  the  simply- typed  A-calculus  A^.  Variables  are  represented  by 
de  Bruijn  indices:  in  de  Bruijn’s  original  formulation  [dB72],  variable  names  are  encoded  by 
natural  numbers.  De  Bruijn  indices  replace  variable  names.  Instead  of  defining  variable  names 
with  every  A-abstraction,  we  implicitly  assign  natural  numbers  to  each  A-expression.  The  index  1 
then  refers  to  the  innermost  A-expression,  the  index  2  to  the  A-expression  in  which  the  innermost 
is  embedded: 

level  1 

AA^Jry 

V - ^ . 

level  2 

This  de  Bruijn  expression  is  equivalent  to  Xx.  Ay.  {x  y).  T  will  be  represented  in  Elf  and  Coq. 
The  indices  cannot  be  represented  directly:  a  potentially  infinite  number  of  constants  would  be 
necessary.  Since  Elf  does  not  possess  an  implicit  concept  of  natural  numbers,  de  Bruijn  indices 
have  to  be  defined  as:  1  is  a  de  Bruijn  index  and  N  'I  is  de  Bruijn  index  if  A'  is  a  de  Bruijn 
index.  The  syntax  of  the  language  T  has  the  following  form: 


Modified  de  Bruijn  Expressions:  E  :  :=  1  |  E'l  |  A  |  {Ei  E2) 


Application  is  defined  in  the  standard  formulation  of  the  A-calculus.  Note,  that  by  introducing 
indices  this  way,  de  Bruijn  expressions  can  be  formed  which  do  not  directly  correspond  to  A- 
expressions: 

AA(1  l)t 


is  equivalent  with 


A  A  (It  It) 


We  assume  all  de  Bruijn  expressions  to  be  closed,  i.e.  indices  do  not  refer  outside  the  outermost 
A-abstraction. 

In  the  regular  A-calculus,  /3- reduction  is  defined  as  {{Xx.M)  N)  reduces  to  [N/x]{M).  We 
avoid  defining  the  notion  of  substitution.  Instead  we  introduce  the  notion  of  environment, 
which  represents  variable  bindings.  An  environment  is  represented  as  a  stack  of  values.  It  is 
not  enough  to  take  de  Bruijn  expressions  as  values:  we  cannot  assume  that  only  unevaluated  de 
Bruijn  expressions  are  bound  to  variables.  Evaluated  de  Bruijn  expressions  have  to  include  the 
environment  in  which  they  are  evaluated.  Otherwise,  partially  evaluated  de  Bruijn  expressions 
would  loose  binding  information.  Therefore,  the  definition  of  environment  and  the  definition  of 
values  depend  mutually  on  each  other: 
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Environments  K  :  :=  •\K‘.iW 
Values  W  :  :=  {K,E} 

Values  are  also  called  closures.  The  yS-reduction  rule  for  de  Bruijn  expressions  now  has  the 
form:  (A  M  N)  reduces  to  {•;  {•,  N},  M}.  We  call  (A  M  AT)  a  yS-redex  for  arbitrary  M  and  N. 
Given  an  arbitrary  de  Bruijn  E  expression,  the  yS  rule  can  be  applied  to  every  subexpression  of 
E  which  is  a  /3-redex.  A  de  Bruijn  expression  which  does  not  contain  any  yS-redices  is  called 
normal. 

The  y9-reduction  rule  does  not  define  in  which  order  yS-redices  are  resolved.  We  will  use  a 
common  evaluation  order  to  derive  the  natural  semantics.  This  evaluation  order  is  referred  to  as 
eager  evaluation.  y0-reduction  is  applied  in  an  outermost  leftmost  order.  The  evaluation  stops  if 
a  de  Bruijn  expression  is  evaluated  which  is  not  a  y0-redex.  This  expression  is  called  canonical. 

Expressions,  environments,  and  values  are  the  basic  components  of  the  language  T.  In  the 
next  subsections  we  define  its  natural  and  operational  semantics. 

2.1.2  Natural  Semantics 

We  represent  the  natural  semantics  of  the  language  T  by  an  evaluation  judgment.  The  judgment 
is  defined  to  derive  the  canonical  form  of  a  de  Bruijn  expression  using  the  eager  evaluation  order. 
Let  E  be  an  expression,  W  a  value,  and  K  an  environment.  The  judgment 

E^W 

puts  K,  E  and  W  in  relation:  In  a  context  K,  the  expression  E  has  the  semantical  value  W  with 
respect  to  the  natural  semantics.  The  set  of  inference  rules  according  to  the  eager  evaluation 
ordering  is  defined  as  follows:  If  the  de  Bruijn  expression  is  of  the  form  1,  it  refers  to  the  top 
element  of  the  environment,  in  this  case  W.  We  can  assume  W  to  be  already  a  canonical  element. 
Therefore  it  does  not  have  to  be  evaluated  further,  but  represents  the  result  expression. 

- ev_l 

K;W\-1^W 

If  the  de  Bruijn  expression  is  of  the  form  Ef,  the  top  element  of  the  environment  is  not  used 
any  more.  It  is  enough  to  evaluate  E  in  the  new  smaller  environment  K.  The  result  of  the 
evaluation  is  the  canonical  form  of  the  expression  E. 

K\-E^W 

- ev -Shift 

K-,W'\-Et^W 

In  the  case  that  the  de  Bruijn  expression  is  a  A-abstraction,  the  eager  evaluation  ordering 
demands  not  to  apply  /3  reduction  to  any  yS  redex  in  the  body  of  the  A-expression.  Therefore 
the  result  is  the  closure  of  K  and  A  E. 


evJam 


K\-  AE^{K,AE} 
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St  St\ 


TT 


E 


W 


Figure  2.1:  Operational  semantics  of  T 


The  last  rule  is  the  application  rule.  This  rule  exhibits  the  eager  evaluation  order.  To  evaluate 
{El  £’2)?  first  El  must  be  evaluated,  and  the  result  is  applied  to  the  evaluated  value  of  £2- 
Note,  that  the  context  K  is  made  available  to  the  first  and  second  premiss.  The  result  of  the 
evaluation  is  independent  of  the  evaluation  order  of  the  first  two  premisses. 

KhEi--^{K\AE[}  K\-E2^W2  K^;W2\-  E[^W 

- ev_app 

K  h  (£1  £2)  W 

2.1.3  Operational  Semantics 

The  definition  of  the  operational  semantics  differs  quite  a  lot  from  the  definition  of  the  natural 
semantics.  The  operational  semantics  of  T  is  defined  in  terms  of  the  execution  behavior  of  a 
simulating  machine.  The  machine  we  are  using  for  our  considerations  is  a  CLS  machine  [Pfe92], 
which  is  a  state  machine  with  a  special  instruction  set.  Each  instruction  changes  the  current 
state  of  the  machine  deterministically.  A  sequence  of  states  visited  during  a  computation  is 
called  a  trace.  The  evaluation  of  a  de  Bruijn  expression  is  described  in  2.1.  In  a  first  step  the 
de  Bruijn  expression  is  mapped  into  an  initial  state  St^  via  an  embedding  function  t.  Using 
the  CLS  machine,  St  is  transformed  into  a  final  state  St\  The  judgment  which  expresses  this 
is  defined  as  St  Sf,  The  resulting  semantical  value  is  projected  into  the  value  IF,  via  a 
projection  function  tt. 

The  notion  of  state  must  refer  to  the  environment,  to  the  program  which  is  to  be  executed, 
and  to  the  result  calculated  so  far.  The  order  of  the  “execution”  of  the  first  two  subgoals  does 
not  play  any  role  in  the  definition  of  the  natural  semantics.  This  is  not  the  case  for  the  CLS 
machine.  Assume  the  machine  is  in  state  5,  the  execution  of  a  instruction  results  in  state  5'. 
The  execution  of  the  next  instruction  results  in  a  state  5"'.  It  is  not  true  that  the  machine  would 
end  up  in  the  same  state  S^\  if  both  instructions  would  have  been  executed  in  reverse  order. 

Therefore  it  is  not  enough  to  represent  only  the  actual  environment  in  the  state.  Environ¬ 
ments  at  earlier  stages  of  the  computation  must  be  accessible,  so  consequently  the  history  of 
environments  has  to  be  stored  in  form  of  a  stack.  This  stack  serves  as  a  storage  space.  Every 
new  subcomputation  is  provided  with  a  new  copy  of  the  actual  environment  on  top  of  the  stack. 

Environment  Stacks  KS  :  -I  KS;K 

A  similar  argument  makes  the  definition  of  another  notion  necessary:  The  result  values  of 
subcomputations  should  not  manipulate  the  partial  result  of  the  actual  computation.  Therefore 
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result  values  must  also  be  administered  by  a  stack:  The  result  of  a  subcomputation  is  always 
the  top  element  of  the  value  stack: 

Value  Stacks  S  :  :=  •  \  S]W 

We  will  now  define  the  instruction  set  of  the  CLS  machine:  First,  expressions  can  serve  as 
instructions.  According  to  the  form  of  an  expression,  the  single  step  transitions  must  be  defined. 
Second,  there  are  special  instructions,  which  are  executed  to  combine  the  results  of  the  execution 
of  subgoals.  In  the  case  of  the  execution  of  an  application  {Ei  £^2)?  Ex  is  executed  to  obtain  a 
value  Wi,  then  E2  to  obtain  W2,  and,  finally,  Wi  and  W2  are  combined.  The  instruction  which 
performs  this  combination  is  apply. 

Instructions  L  :  :=  E  \  apply 

A  program  is  defined  as  a  sequence  of  instructions:  done  stands  for  the  “end  of  execution”  flag. 

Programs  P  :  :=  done  \  IhP 

The  notion  of  state  is  a  triple  consisting  of  an  environment  stack,  a  program  and  a  value  stack: 

State  St  ::=  {KS,P,S) 

Next,  the  state  transition  function  must  be  defined.  A  computation  is  a  trace  of  one  or  more 
single  step  transitions.  Each  single  step  transition  describes  the  state  change  evoked  by  one 
instruction.  The  single  step  relation  is  defined  by  a  new  judgement  St  St^,  The  rules  for 
this  single  step  transition  are  formed  as  axioms: 

If  the  instruction  to  be  executed  is  of  form  1,  the  top  element  of  the  actual  environment 
has  to  be  returned  as  a  value.  Note,  that  the  actual  environment  is  the  top  environment  on  the 
environment  stack. 

((K5;  (/IT;  1^)),  l&P,  S)  {KS,  P,  (5;  W)) 

If  the  instruction  to  be  executed  is  of  form  fhe  top  element  of  the  actual  environment  can 
be  discarded  and  the  E  has  to  be  executed. 

- - s_sh  ift 

{{KS;  {K;  W^),E\  S)  =>  {{KS;  K),  EkP,  S) 

In  case  that  a  A-expression  has  to  be  executed,  the  result  object  is  the  closure  of  the  actual 
environment  and  the  A-expression  A  E,  No  further  subcomputation  is  necessary. 

{{KS;  K),  A  EkP,  S)  {KS,  P,  {S;  {K,  A  E})) 

Application  is  more  complicated,  because  two  subcomputation  have  to  be  initiated.  The  first 
subcomputation  calculates  the  value  of  E\^  the  second  the  value  of  £’2* 

- - - s_app 


{{KS;  A),  (£1  £2)&£,  S)  =>  {{KS;  K;  £),  EikE2kapplykP,  S) 
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The  instruction  apply  combines  the  results  of  both  subcomputations.  It  assumes  that  both 
result  objects  are  the  top  two  elements  of  the  result  stack.  The  top  element  is  assumed  to  be  the 
value  of  the  parameter,  the  second  element  is  assumed  to  be  the  function.  Therefore  it  must  be 
a  A-abstraction.  To  combine  both  computations  K'  is  made  the  actual  environment  by  pushing 
it  on  top  of  the  environment  stack,  and  then  the  value  of  the  parameter  W  is  pushed  onto  the 
actual  environment.  Afterwards,  the  body  of  the  A-expression  is  executed:  F. 


{KS,  applykP,  (5;  {K\  A  (F)};  W))  {{KS-,  (F';  W)),  FkP,  S) 

A  computation  trace  lies  within  the  transitive  closure  of  single  step  transitions:  The  judge¬ 
ment  St  St'  expresses  the  existence  of  a  trace  from  St  to  St'.  A  trace  can  be  empty  or 
formed  by  a  single  step  followed  by  another  trace: 


mJd 


St=^St'  St 


I  *A 


St" 


St 


St 


St  St" 


m_step 


Finally  a  new  judgement  is  introduced  which  defines  the  semantical  value  of  a  program  with 
respect  to  the  operational  semantics:  In  an  environment  K,  the  expression  E  has  the  semantic 
value  W : 

K\-E^W 

The  inference  rule  for  this  judgement  is  easily  motivated:  E  has  to  be  mapped  into  a  state:  This 
is  defined  by  the  function  t  in  diagram  2.1.  A  state  is  defined  in  which  the  environment  stack 
contains  only  one  element,  the  environment  K.  E  is  directly  interpreted  as  a  program.  After 
executing  F,  the  computation  must  stop:  done  is  the  instruction  executed  after  E  has  been 
executed.  The  value  stack  of  the  initial  state  is  empty: 


l{E)^  {{■■,K),Ekdone,-) 

After  the  execution  is  completed,  the  final  state  is  expected  to  be  of  the  form  (•,  done,  (-iiy)). 
The  TT  function  we  introduced  in  diagram  2.1  is  therefore  defined  as 


t{{-,  done,  {-,-[¥)))  =  W 

The  goal  of  the  computation  is  to  reach  a  final  state.  The  environment  stack  should  be 
empty,  since  the  execution  came  to  an  end.  The  program  should  contain  only  the  clause  done. 
The  result  value  is  expected  to  be  the  only  element  on  the  value  stack. 

{{■■,K),Ekdone,-)=U  {■,done,{-,W)) 
- c_run 

K\-E^W 

We  introduced  the  language  T  and  its  natural  and  operational  semantics:  In  the  next  sub¬ 
section  we  state  the  equivalence  theorem,  a  de  Bruijn  expression  has  the  same  meaning  in  both 
semantics.  We  give  the  proof  of  the  necessary  direction:  If  a  given  expression  E  has  the  seman¬ 
tical  value  W  with  respect  to  the  natural  semantics,  then  E  will  have  the  same  semantical  value 
W  with  respect  to  the  operational  semantics. 
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2.1.4  Equivalence  Theorem 

In  this  subsection  we  show  that  the  operational  semantics  for  T  and  the  natural  semantics  for  T 
are  equivalent:  Given  a  context  an  environment  E  and  a  value  the  equivalence  theorem 
says  that 

K\-  E^W  if  and  only  if  K  E  W 

This  theorem  is  of  interest  for  two  reasons.  First,  the  theorem  sets  both  semantical  notions  in 
relation.  Second,  its  proof  is  representable  in  LF  type  theory,  and  therefore  also  in  the  Calculus 
of  Inductive  Constructions.  Section  2.2.1  and  section  2.3.1  show  details  of  this  representation. 

For  the  proof  of  the  equivalence  theorem,  we  need  a  preliminary  lemma.  This  lemma  is 
a  generalization  of  one  direction  of  the  the  equivalence  theorem.  It  is  called  subcomputation 
lemma,  because  it  states  that  every  subcomputation  ends  with  a  result  value  on  top  of  the  value 
stack: 

Lemma  2.1  (Subcomputation)  Let  K  be  an  environment^  E  be  an  expression  and  W  be  a 
value.  If  K  \-  E  then  for  all  Ks  environment  stack,  P  program  and  S  value  stack 

{{Ks-K),E&,P,S)^  {Ks,P,{S;W)) 

Proof:  By  induction  on  V  ::  K  i-  E  ^  W. 

Case:  V  ends  in  an  application  of  the  rule  ev_l. 

V  = - ev_l 

{!<]  W)\-l^W 


Hence  we  have  by  using  s_l 


{{KS-,  {K-,  W)),  IkP,  S)  {KS,  P,  (5;  W)) 


Using  rules  for  the  multi  step  computations,  we  immediately  get  a  derivation  for 
{{KS-,  {K-,  W)),  Ik,  S)  {KS,  P,  (5;  W)). 

Case:  V  ends  in  an  application  of  the  rule  ev_shift: 


V  = 


KhE^W 

- ev_shift 

K-,W'\-  E^ 


Then 

{{Ks-,  {K-,W')),EtkP,S) 
{{Ks-,K),EkP,S) 
^  {Ks,P,S-,W) 


By  s_shift 
By  induction  hypothesis 


Therefore  there  is  a  derivation  for  {{Ks;  {K;W')),  E'\  kP,  S)  {Ks,  P,  S;  W). 
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Case:  P  ends  in  an  application  of  the  rule  ev_Iam: 

^  = - evJam 

KhAE^{K,AE} 

Then  ((KS;  K),  A  ESiP,  S)  {KS,  P,  (5;  {K,  A  E}))  follows  directly  from  the  definition 
of  sJam. 

Case:  V  ends  in  an  application  of  the  ev_app  rule. 


Vi  I>2 

K\-  Ei^{K',AE[}  KPE^^Wi 


K  h  {El  E2)  ^  W 


Vz 

K'  -  W^PE'i^W 
- ev_app 


Then 


{{KS-,K),{EiE2)kP,S) 

{{KS;  K;  K),  EikE2kapplykP,  S) 

{{KS;  K),  E2kapplykP,  {S;  {!<',  A  E'l})) 
{KS,  applykP,  {S;  {K',  A  E[};  W2)) 
{{KS;{K';W2)),E'ikP,S) 

^  {KS,P,{S;W)) 


By  rule  ev_app 
By  ind.  hyp.  on  Vi 
By  ind.  hyp.  on  V2 
By  rule  s_apply 
By  ind.  hyp.  on  P3. 


□ 

Now  we  can  state  the  equivalence  theorem  and  prove  one  direction  of  it.  The  other  direction 
is  omitted,  the  reader  is  referred  to  [Pfe92]. 


Theorem  2.2  (Equivalence  Theorem)  For  K  environment,  E  expression  and  W  value: 

KhE^W  if  and  only  if  K  [- E  =4^  W 

Proof:  =i’:  Apply  subcomputation  theorem  to  K,E,W  and  K  h  E  ^W.  Choose  the  environ¬ 
ment  stack  to  be  •,  the  program  to  be  done  and  the  result  stack  to  be  •: 

((•;  K),  Ekdone,  ■)  =4  (•,  done,  {■;  kP)) 

Apply  c_run  to  obtain: 

K\-E^W 

□ 


See  [Pfe92]. 


2.2.  LF  AND  ELF 


11 


2.2  LF  and  Elf 

Elf  is  a  logic  programming  language  based  on  LF  type  theory.  Basic  theoretical  work  has  been 
done  by  Plotkin,  Honsell,  and  Harper  [HHP93].  Pfenning  implemented  LF  type  theory  in  form 
of  the  logic  programming  language  Elf  [Pfe91].  The  goal  of  this  section  is  to  introduce  LF  type 
theory  and  to  motivate  the  advantages  of  using  LF  type  theory  as  a  programming  language.  We 
will  also  demonstrate  the  need  for  a  met  a  logic  for  LF. 

This  section  is  divided  into  two  subsections.  In  the  first  subsection  LF  type  theory  is  intro¬ 
duced.  In  the  second  subsection  the  representation  of  the  language  T  in  LF  is  given  and  the 
implementation  of  T  in  Elf  is  explained.  This  presentation  will  follow  closely  [Pfe92].  We  then 
will  discuss  why  meta  logical  reasoning  over  LF  signatures  within  LF  is  burdensome:  Elf  is  a 
programming  language  and  is  not  anticipated  to  be  a  theorem  prover. 

While  this  section  is  concerned  with  LF  and  Elf,  the  next  section  gives  an  overview  of  the 
calculus  of  inductive  constructions  [PM93]  as  the  theoretical  foundation  of  Coq  5.10.[C"^95]. 


2,2. 1  LF  Type  Theory 

LF  type  theory  was  introduced  by  Harper,  Honsell  and  Plotkin  in  [HHP93].  It  can  be  seen 
as  an  extension  of  the  simply  typed  A-calculus  by  introducing  dependent  types  and  a  rigorous 
distinction  between  object  level  and  type  level.  Note,  that  this  distinction  is  blurred  for  CIC  as 
we  will  see  in  the  next  section:  there  is  no  syntactical  distinction  between  types  and  objects. 

The  strict  distinction  between  object  level  and  type  level  has  a  pleasant  side  effect.  There 
is  a  natural  way  to  present  deductive  systems  in  LF  type  theory.  Objects  can  be  interpreted 
as  derivations  and  judgments  can  be  interpreted  as  types.  This  is  often  referred  to  as  the 
judgment-as-type  paradigm.  It  makes  a  logic  interpretation  of  LF  type  theory  possible:  Types 
can  also  be  interpreted  as  propositions,  their  truth  value  depends  on  whether  the  type  is  empty 
or  not.  If  the  type  is  not  empty,  it  is  called  inhabited  and  the  corresponding  object  corresponds 
to  the  proof.  The  combination  of  LF  type  theory,  deductive  systems,  the  logic  interpretation 
and  special  characteristics  of  the  inference  rule  system  enables  LF  type  theory  to  be  used  as  a 
foundation  for  the  logic  programming  language  Elf. 

A  closer  look  at  LF  type  theory  reveals  that  there  is  another  level  besides  the  object  and 
the  type  level.  This  level  is  called  the  kind  level.  A  kind  is  the  “type”  of  a  type.  Object  level, 
type  level  and  kind  level  describe  all  entities  which  are  expressible  in  LF  type  theory.  The  strict 
distinction  between  object  level  and  type  level  prevent  the  construction  of  self  referential  types: 
there  is  no  need  to  introduce  type  universes  for  LF  type  theory. 

We  introduce  now  the  language  of  each  of  these  three  layers.  The  object  layer  is  represented 
using  the  simply- typed  A-calculus.  We  use  M  to  denote  objects.  Objects  are  always  typed.  A 
stands  for  types.  The  presence  of  dependent  types  makes  the  notion  of  kind  necessary.  Kinds 
are  abbreviated  by  K.  There  are  two  different  groups  of  constants:  we  differentiate  constants 
introduced  on  the  object  level  from  those  introduced  on  the  type  level.  All  constants  must  be 
properly  typed,  that  is  object  constants  must  have  a  certain  type  and  type  constants  must  be 
of  a  certain  kind. 
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Kind: 

K 

:=  type | 

A^K\ 

Ux  :  A.K 

Type: 

A 

:=  a  Ml. 

•  •Mn  1  Ai 

A2  1  Ila;  :  A1.A2 

Object: 

M 

:  :=  c\x\ 

Xx  :  A.M 

1  Ml  M2 

Signature:  E  :  ,  |  S,  c  :  A  |  S,  a  : 

Objects  can  be  either  variables,  constants,  applications,  or  A-abstractions.  Since  there  is 
the  notion  of  function  on  the  object  level,  there  must  be  a  function  type  on  the  type  level:  the 
Il-type.  There  are  no  type  variables  in  LF,  only  object  variables.  Types  which  are  dependent 
on  parameters  are  called  type  families.  In  our  presentation  of  LF  we  define  the  arrow  types  as 
syntactic  sugar:  The  type  Ai  — A2  is  a  function  type  from  Ai  to  A2.  This  is  only  a  special  case 
of  the  H-type:  Hx  :  Ai.  A2  where  x  does  not  occur  free  in  A2. 

Dependent  kinds  are  used  to  “type”  dependent  types:  Without  dependent  types  there  would 
be  only  one  kind  :  type.  To  assign  a  kind  to  a  function  type,  dependent  kinds  have  to  be 
introduced:  Ux  :  A.  K.  It  should  be  clear  from  the  context  if  a  Il-application  constructs  a  type 
or  a  kind.  As  in  the  case  for  types,  arrow  kinds  are  defined  as  syntactic  sugar.  A  K  stands 
for  Ux  :  A.  where  x  does  not  occur  free  in  K. 

Let  c,  a  be  a  constant  names:  c  :  A  is  called  an  object  constant  declaration  and  a  :  K  is  called 
a  type  constant  declaration.  The  signature  S  is  defined  as  a  list  of  such  declarations.  stands 
for  the  empty  signature. 

We  will  now  introduce  the  type  system  of  LF.  To  define  the  general  typing  judgments  we 
have  to  introduce  the  notion  of  a  context.  A  context  represents  a  list  of  variables  and  their  types. 
Variables  are  always  object  variables,  so  their  types  must  be  defined  on  the  type  level.  stands 
for  the  empty  context.  In  the  following  we  omit  the  leading  for  non-empty  contexts.  Here 
is  the  syntactical  definition  of  contexts  in  LF: 

Context:  F  :  :=  .  |  F,  x  :  A 

Because  of  the  presence  of  dependent  types,  well-formed  contexts  have  to  be  distinguished 
from  ill-formed  contexts.  The  problem  of  ill-formed  contexts  stems  form  the  following  obser¬ 
vation:  The  types  of  the  variables  defined  in  the  context  need  not  to  be  closed.  Let  a:  be  a 
free  variable  occuring  in  the  type  of  a  variable  declaration.  The  context  is  ill-formed  if  x  is  not 
declared  earlier  in  the  context.  If  x  is  declared  earlier,  then  the  context  is  called  well-formed. 

Example  2.3  =  x  :  z  :  [B  x)  is  a  well-formed  context^  Ti  =  z  :  {B  x)  is  an  ill-formed 

context. 

We  define  the  judgment  h  F  ctx  to  express  that  the  context  F  is  well-formed.  For  the  set  of 
inference  rules  defining  this  judgment  consult  (Pfe92]. 

A  similar  observation  holds  for  signatures:  Object  and  type  constants  have  to  be  defined 
before  they  can  be  used.  This  leads  to  the  distinction  between  well-formed  and  ill-formed  signa¬ 
tures.  The  reader  may  consult  [Pfe92].  We  omit  the  treatment  of  signatures  in  this  presentation. 

We  define  the  typing  judgments  for  LF  objects,  LF  types,  and  LF  kinds.  Note,  that  all  three 
judgments  depend  on  contexts:  kinds  and  types  may  also  depend  on  variables. 
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Definition  2.4  (LF  typing  judgments)  We  write 


h  r  ctx 
T\-M  :A 
T\-A:K 
T\-K  kind 


for  r  being  a  well-formed  context 
for  M  being  of  type  A,  in  context  T 
for  A  being  of  kind  K,  in  context  T 
for  K  being  a  kind  in  context  F 


We  are  not  going  to  give  all  typing  rules  —  a  complete  list  is  given  in  [HHP93,  Pfe92].  As  an 
example  consider  the  typing  rule  for  application  of  LF  objects:  For  (M  N)  being  well-typed  we 
have  to  show  that  M  is  a  function  of  type  flo:  :  A.  which  domain  is  equivalent  to  the  type 
of  the  parameter  object  N  —  A.  Since  B  may  depend  on  x,  the  type  of  (M  AT)  is  J3,  where  all 
free  occurrences  of  x  are  replaced  by  N: 


VhM:Ux:A,B  T  N  :  A 
T\-{M  N):  [N/x]{B) 


objapp 


The  next  rule  shows  how  application  on  type  level  is  handled:  It  is  of  the  same  form  as  objapp 
but  n  is  now  a  constructor  for  kinds: 


T\-A:Ux:B.K  T  \-  M  :  B 
r  h(A  M)  :[M/x]{K) 


typeapp 


As  a  last  example  we  give  the  rule  for  D-formation  on  the  kind  level.  Note,  that  there  is  no 
application  on  the  kind  level.  The  rule  reads  as  follows:  If  A  is  a  type  in  a  context  F  and  K  can 
be  shown  to  be  a  kind  in  the  extended  context  F,a:  :  A,  then  the  free  occurrence  in  K  can  be 
bound  by  the  H-constructor  and  the  resulting  construct  is  a  kind. 

F  h  A  :  type  T;x  :  Ah  K  kind 

- - kindpi 

ThUx:A,K  :  kind 


We  do  not  present  the  other  rules  here.  We  also  omit  the  presentation  of  equality  rules.  The 
reader  is  referred  to  [HHP93]. 

This  completes  the  short  introduction  into  the  underlying  ideas  of  LF  and  its  realization. 
When  using  LF  as  a  programming  language  the  signature  corresponds  to  a  logic  program.  Con¬ 
stants  are  the  constructors  for  proof  objects.  Types  stand  for  propositions.  A  query  corresponds 
to  ask  if  a  type  is  inhabited.  The  execution  of  a  query  corresponds  therefore  to  type  check  a 
type  and  to  construct  a  proof  term  for  it.  If  no  proof  term  can  be  found,  the  query  is  said  to 
fail,  otherwise  it  succeeds.  Program  execution  of  program  A  corresponds  therefore  to  the  search 
of  a  derivation  •  h  M  :  A. 


Higher  order  abstract  syntax 

Higher  order  abstract  syntax  is  a  special  variable  representation  technique  which  follows  quite 
naturally  from  taking  the  A-calculus  as  a  representation  language  for  languages  which  require 
a  variable  concept.  This  technique  stems  from  the  following  observation:  When  representing  a 
variable  concept  there  are  two  possibilities  to  be  considered:  First,  the  variable  concept  can  be 
represented  directly.  Variable  names  are  represented  by  new  constants.  Substitution  must  also 
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be  represented.  Experience  shows,  that  this  approach  is  rather  tedious  and  it  is  very  difficult  to 
represent  a  variable  concept  correctly,  A  second  possibility  is  to  use  the  meta  variable  concept 
of  the  type  theory  instead  of  implementing  a  variable  concept  from  scratch.  In  this  case,  terms 
with  free  variables  are  represented  as  function  objects  in  the  type  theory.  The  technique  is  called 
higher  order  abstract  syntax  ov  HOAS.  Object  variables  are  represented  as  meta  variables.  The 
following  example  makes  this  more  clear: 

Example  2.5  Assume  a  language  with  a  variable  concept  to  be  represented:  We  denote  a  vari¬ 
able  of  this  concept  with  x  and  the  LF  variable  with  x.  Suppose  that  the  function  s  is  already 
represented  in  LF,  Let  f  be  a  function  which  should  be  represented  in  LF, 

f{x)  -  (s  x) 

When  using  HOAS,  f  is  represented  as  an  LF  X-term: 

f  =  Xx.  (s  x) 

The  variable  concept  does  not  have  to  be  represented  in  LF, 

Variable  concepts  typically  make  the  notion  of  substitution  necessary.  How  are  substitutions 
represented  when  using  HOAS  —  and  how  are  substitution  applied  when  using  HOAS?  The 
notion  of  substitution  need  not  to  be  represented  directly  in  the  LF  type  theory.  Substitution 
application  corresponds  to  /3-reduction.  And  /3-reduction  corresponds  to  application  on  the 
LF-object  iQvel. 

It  is  clear  that  mimicking  substitution  application  by  LF  object  application  lacks  general¬ 
ity.  It  must  be  proven,  that  object  level  application  is  general  enough,  to  mimic  substitution 
application.  This  is  expressed  by  the  substitution  lemma,  which  has  to  be  proven  for  every 
type  family,  which  makes  use  of  HOAS:  Let  D  be  a  term,  which  should  be  represented  as  an 
object  in  LF  type  theory.  We  write  [•]  for  the  polymorphic  representation  function.  Let  M 
be  dependent  on  some  variable  x.  Let  a  be  the  substitution  of  the  form  [N/x],  The  notation 
[N/x]{M)  is  a  term,  where  all  occurrences  of  (r  in  M  are  replaced  by  N,  The  idea  of  HOAS  is  it, 
to  replace  object  variables  by  meta  variables.  Therefore  [M]  is  actually  a  A-expression  in  LF, 
which  expects  another  LF  object  as  argument.  The  representation  of  substitution  application 
has  to  be  as  follows: 

\[N/x]M]  =  ([Ml  \N]) 

This  property  has  to  hold,  otherwise  HOAS  is  not  applicable  for  the  language  in  question.  It 
is  shown,  that  it  holds  in  many  examples.  It  is  referred  to  as  the  substitution  lemma  in  [Pfe92]. 

Canonical  forms 

We  saw  in  the  last  subsection,  that  higher  order  abstract  syntax  can  be  used  to  represent  object 
language  variables  in  LF.  We  saw  that  it  takes  some  effort  to  prove  the  substitution  lemma 
depending  on  the  type  family  which  makes  use  of  HOAS.  We  also  saw  that  the  representation 
function  establishes  an  identification  between  derivations  in  a  deductive  system  and  objects  in 
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LF  type  theory,  and  between  judgments  and  LF  types.  In  this  subsection  we  want  to  elaborate 
further  on  the  similarities  between  deductive  systems  and  LF  type  theory. 

In  general  derivations  in  a  deductive  system  and  objects  in  LF  type  theory  may  not  be 
identified:  we  cannot  expect  that  every  object  in  LF  type  theory  corresponds  to  a  derivation. 
Consider  the  deductive  system  for  the  judgment  x  £  with  two  inference  rules: 

X  eN 

- z  - s 

ze  IN  X'  e  IN 

The  judgment  X  £  N  can  be  represented  in  LF  as 

nat : type 

the  rules  can  be  represented  as  the  following  two  declarations: 

z  :  nat 
s  :  nat  nat 

In  this  deductive  system  the  derivation  of  z'"  G  IN  has  the  form 

- z 

ze  IN 

- s 

z'  eN 

z"  G  N 

z'"  G  N 

It  is  represented  in  LF  using  the  signature  and  LF  typing  rules  as 

s(s(s(z)))  :  nat 

Obviously  z  :  nat  has  a  derivation,  namely  an  instantiation  of  the  axiom  rule  z.  On  the 
other  hand  the  ((Aa;  :  nat.  x)  z)  :  nat  does  not  correspond  to  a  derivation  in  the  system,  but  it  is 
well-typed.  This  example  shows,  that  there  are  more  LF  objects  then  derivations.  The  solution 
to  this  problem  is  to  restrict  the  set  of  LF  objects  to  canonical  LF  objects.  We  omit  the  details 
of  how  canonical  elements  are  defined,  the  reader  my  consult  [HHP93,  Pfe92].  We  define  a  new 
judgment:  An  object  M  is  a  canonical  object  of  type  A  in  context  P: 

VhMicA 

For  any  deductive  system,  we  should  show  adequacy: 

If  M  is  a  derivation  in  a  deductive  system  for  judgment  A  using  possible  free  syntactical 
variables  in  f ,  then  [f]  h  [M]  :c  \A] 

If  r  h  M  :c  A  then  there  should  be  a  derivation  M  of  the  judgment  A  and  a  context  of  variable 
declarations  f,  s.t.  [f]  =  P,  [M]  =  M  and  \A]  =  A. 
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Adequacy  is  to  be  shown  for  all  types  and  type  families.  It  guarantees  the  existence  of  an 
isomorphism  between  deductions  and  LF  objects,  between  judgments  and  types.  If  higher  order 
abstract  syntax  is  used,  and  the  substitution  lemma  holds  for  the  judgment  involving  HOAS, 
the  isomorphism  postulated  in  the  adequacy  theorem  is  called  compositional 
For  the  definition  of  the  system  MLF,  we  will  need  the  notion  of  atomic  types: 

Definition  2.6  (Atomic  type)  Let  A  be  an  LF  type,  A  is  called  an  atomic  type  iff  A  is 
canonical  and  A  is  not  a  U-abstraction, 

In  the  next  subsection  we  will  introduce  the  logic  programming  language  Elf,  and  demon¬ 
strate  how  the  example  from  section  2.1  can  be  represented  in  Elf  by  first  representing  it  in  LF 
type  theory,  and  then  interpreting  the  signature  as  a  logic  program. 

2.2.2  Elf 

In  this  section  we  give  a  very  short  overview  about  the  logic  programming  language  Elf.  Then 
we  describe  the  representation  of  the  language  T  in  LF  which  was  introduced  in  section  2.1. 
In  parallel,  we  give  the  implementation  in  Elf:  At  first  we  describe  the  representation  and 
implementation  of  the  syntax  of  the  programming  language  T  using  de  Bruijn  indices.  Then  we 
represent  and  implement  the  notion  of  natural  semantics  and  the  notion  of  operational  semantics 
in  LF.  Eventually  we  show  the  representation  and  implementation  of  the  equivalence  theorem. 
This  presentation  follows  closely  [HP92]. 

How  to  use  Elf 

The  process  of  programming  in  Elf  proceeds  in  three  stages.  At  the  first  state,  the  problem 
is  formulated  in  form  of  a  deductive  system  —  as  done  in  section  2.1.  At  the  second  stage 
the  deductive  system  is  represented  in  LF  type  theory:  Adequacy  and  substitution  lemmas  are 
proven  at  this  stage.  We  omit  these  theoretical  considerations  in  this  presentation  and  refer 
the  reader  to  [Pfe92].  The  judgment  K  E  V  lor  example  is  represented  as  the  dependent 
type  (feval  K  E  V).  Judgments  are  written  in  a  very  mathematical  way,  using  mathematical 
symbols. LF  types  are  written  in  the  Roman  font.  At  the  third  stage  LF  signatures  are  finally 
implemented  in  Elf.  This  step  is  quite  straightforward:  Programming  in  Elf  corresponds  to 
writing  signatures  in  LF  type  theory.  We  write  Elf  source  code  in  typewriter  font:  the  LF  type 
family  (feval  K  EV)  for  example  is  implemented  as  (feval  K  E  V). 

The  syntax  of  Elf  corresponds  directly  to  the  mathematical  notation.  The  keyword  type 
stands  for  the  kind  type.  Let  A,  B  be  types  and  K  a  kind.  A-abstractions  are  expressed  using 
the  notation  [x:A]M.  H-abstractions  on  the  type  level  are  written  as  (x:A)B  and  on  the  kind 
level  as  (x:A)K.  We  also  make  use  of  the  arrow  notation  A  ->  B  or  A  ->  K,  which  corresponds 
to  A  — )■  B  and  A  — >■  AT,  respectively. 

LF  signatures  correspond  to  LF  programs.  A  signature  is  a  list  of  declarations.  Let  c  :  A 
be  an  object  constant  declaration  and  a  :  K  type  constant  declaration.  The  implementation 
in  Elf  is  then  of  the  form  c  :  A.  and  a  :  K.  For  a  more  detailed  description  of  Elf,  consult 
[Pfe89,  Pfe92]. 


2.2.  LF  AND  ELF 


17 


Representation  and  Implementation  of  T 

We  will  now  present  the  representation  of  de  Bruijn  expressions.  A  de  Bruijn  expression  does 
not  depend  on  any  other  objects.  Therefore  we  declare  the  type  (exp)  of  kind  (type) :  exp  is  a 
type  constant.  We  will  also  refer  to  it  as  type  constructor. 

LF 

exp  :  type 

The  implementation  in  Elf  is  very  similar: 

Elf 

exp  :  type. 

The  object  constants  or  object  constructors  of  the  type  exp  are  defined  as  follows: 


LF 

Elf 

1 

t 

lam 

app 

exp 

exp  exp 

exp  exp 

exp  exp  exp 

1  :  exp . 

:  exp  ->  exp. 

lam  :  exp  ->  exp. 

app  :  exp  ->  exp  ->  exp. 

The  object  constructors  1  and  t  define  the  set  of  de  Bruijn  indices:  1  corresponds  to  index 
1,  t  corresponds  to  the  successor  function.  It  is  of  type  exp  exp,  because  it  expects  one 
argument:  If  N  is  an  index,  then  (f  N)  is  also  an  index.  In  our  presentation  we  use  j'  as  postfix 
operator:  We  write  (IV t)  instead  of  (t  N). 

Since  T  makes  use  of  de  Bruijn  indices,  we  do  not  have  to  implement  an  explicit  variable 
concept.  A  abstraction  expects  only  one  argument,  an  expression  of  type  (exp).  Application 
expects  two  arguments:  The  first  argument  is  the  function  which  is  to  be  applied  to  the  second. 

In  section  2.1  we  introduced  the  notion  of  values.  A  value  is  the  closure  of  an  environment  and 
a  de  Bruijn  expression.  Environments  depend  on  values.  Both  notions  are  mutually  recursive. 
We  will  therefore  first  introduce  the  new  types  env  and  val.  The  object  constructor  empty 
defines  the  empty  environment,  is  the  environment  constructor  and  do  is  the  constructor  to 
create  closures. 


LF 

Elf 

env 

val 

empty 

7 

do 

type 

type 

env 

env  val  env 
env  — exp  val 

env  :  type, 
val  :  type . 
empty  :  env . 

;  :  env  ->  val  ->  env. 
do  :  env  -*>  exp  ">  val. 

Representation  and  Implementation  of  the  Natural  Semantics 

In  this  paragraph  we  describe  the  representation  of  the  natural  semantics  of  the  language  T. 
The  judgment  AT  h  E  M-  F  is  represented  by  the  dependent  type  feval.  feval  depends  on 
three  parameters:  the  current  environment,  the  expression  to  be  evaluated  and  the  result  of  the 
evaluation. 
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LF 

Elf 

feval  :  env  exp  ->  val  —>■  type 

feval  :  env  ->  exp  ->  val  ->  type. 

In  section  2.1  we  defined  four  different  rules  for  the  evaluation  judgment: 

KhE^W 

- ev_l  - ev_shift  - evJam 

K;Whl^W  K;W'l-Et--^W  K  h  A  E {K,A  E} 

KhEi^{K',AEi}  KI-E2^W2  K';W2  h  E'l  ^  W 

- ev.app 

K  h  (El  E2)  ^  W 

Because  of  the  derivations-as-objects  paradigm,  each  rule  is  represented  as  an  object  constructor: 
The  type  of  each  constructor  depends  on  the  premisses  of  the  rule  and  all  free  variables.  The 
rules  ev_l,evjshift,evJam  and  ev_app  are  represented  in  LF  as  follows: 


Due  to  the  type  reconstruction  algorithm  which  is  built  into  Elf  we  can  omit  the  11  closures 
in  Elf.  The  encoding  in  Elf  is  much  more  efficient.  Note,  that  the  arrow  in  the  Elf  code  is 
reversed  for  the  sake  of  better  readability.  The  program  can  be  read  like  a  Prolog  program. 


Elf 

fev_l 

feval  (K  ;  W)  1  W. 

fev_“ 

feval  (K  ;  W’)  (F  '•)  W 

<-  feval  K  F  W. 

f ev^lam 

feval  K  (lam  F)  (do  K 

(lam  F)). 

f ev_app 

feval  K  (app  FI  F2)  W 

<-  feval  K  FI  (do  K’ 

(lam  FI’)) 

<-  feval  K  F2  W2 

<-  feval  (K’  ;  W2)  FI’ 

W. 
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Representation  and  Implementation  of  the  CLS  Machine 

In  section  2.1  we  defined  the  general  form  of  the  CLS  machine.  We  described  the  instruction  set 
and  the  form  of  programs.  Since  a  CLS  machine  is  a  state  transition  machine  we  also  defined 
the  notion  of  state.  We  will  now  give  the  representation  of  the  various  constructs  in  LF  and  the 
implementation  in  Elf. 

We  have  to  declare  four  new  types:  instructions,  programs,  environment  stacks  and  states. 
Recall  that  instructions,  programs  and  environments  contribute  to  the  formulation  of  a  state, 
which  is  the  basic  notion  for  the  CLS  machine.  The  CLS  runs  by  calculating  traceg  of  states. 
The  final  state  represents  the  operational  meaning  of  a  de  Bruijn  expression,  as  described  in 
diagram  2.1.  The  representation  of  the  judgments  in  LF  is  straightforward.  We  obtain  four  new 
new  type  constructors:  instruction,  program,  envstack  and  state. 


LF 

Elf 

instruction  : 

type 

instruction 

type. 

program  : 

type 

program 

type. 

envstack  : 

type 

envstack 

type. 

state  : 

type 

state 

type. 

Instructions  can  be  formed  in  two  ways:  first  de  Bruijn  expressions  by  themselves  are  in¬ 
structions.  The  function  ev  is  an  injective  embedding  function  from  the  type  of  expressions 
into  the  type  of  instructions.  Second  a  new  instruction  has  to  been  introduced  which  combines 
subcomputations:  apply. 


LF 

Elf 

ev  :  exp  instruction 

apply  :  instruction 

ev  :  exp  ->  instruction . 

apply  :  instruction. 

A  program  are  defined  as  a  list  of  instructions.  The  empty  program  is  represented  by  done. 
&  is  the  constructor  to  build  up  the  list  of  instructions: 


LF 

Elf 

done  :  program 
&  :  instruction  program 

— program 

done  :  program. 

&  :  instruction  ->  program 

->  program. 

The  notion  of  environment  stack  is  important,  because  old  environments  have  to  be  saved 
in  case  subcomputations  are  started,  emptys  represents  the  empty  environment  stack,  ;;  the 
constructor. 


LF 

Elf 

emptys  :  envstack 

;;  :  envstack  — env  envstack 

emptys  :  envstack. 

;;  :  envstack  ->  env  ->  envstack. 

This  completes  the  representation  of  the  ingredients  for  the  notion  of  state.  Recall,  a  state 
contains  the  environment  stack  —  a  storage  facility  to  store  environments,  the  program  —  in 
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form  of  a  list  of  instructions  —  and  a  storage  facility  to  store  results.  We  did  not  define  a  new 
type  for  the  result  stack,  since  it  is  only  a  stack  of  values  which  is  already  defined  as  env.  The 
state  constructor  is  called  st.  Here  is  the  representation  in  LF  and  in  Elf. 


LF 

Elf 

st  :  envstack  program  -4  env 
-4  state 

st  :  envstack  ->  program  ->  env 
->  state. 

Representation  and  Implementation  of  T’s  Operational  Semantics 

In  section  2.1  the  notion  of  computation  for  a  CLS  machine  was  defined.  A  computation  is 
a  trace  through  the  state  space,  ending  in  a  final  state.  Traces  were  introduced  as  multi  step 
transitions.  A  multi  step  transition  consists  of  a  sequence  of  single  step  transitions.  Each  single 
step  transition  corresponds  to  the  execution  of  a  single  instructions.  The  operational  semantics 
of  T  is  specified  by  defining  these  single  step  transitions.  A  single  step  transition  is  defined  as  a 
relation  between  two  states.  We  denote  this  relation  by  the  infix  operator  =>•.  It  is  represented 
as: 


LF 

Elf 

^  :  state  state  type 

=>  :  state  “>  state  ->  type. 

Now  we  represent  the  single  step  transition  rules:  s_l,s-shift,sJam,s^pp  and  s_apply.  The 
information,  if  a  single  step  transition  is  applicable  or  not,  is  stored  in  the  types.  Here  is  the 
representation  of  the  rules: 


LF 

C_1 

1  TLH  :  envstack.  UK  :  env.  1114^  :  val.  HP  :  program.  115  :  env. 

st  {H;iK  ;  W))  ((ev  l)kP)  S  ^  st  H  P  (5;W) 

c_t 

:  Ili?  :  envstack.  UK  :  env.  UW  :  val.  IIF  :  exp.  HP  ;  program.  115  :  env. 

St  {Hy,{K-,W'))  (ev  {Ft)kP)  S  ^  st  {Hy,K)  (ev  FkP)  S 

cJam 

:  HH  :  envstack.  UK  :  env.  IIF  :  exp.  UP  :  program.  115  :  env. 

St  {H];K)  (ev(lam  F)kP)  S  ^  st  H  P  (5;clo  AT  (lam  F)) 

c_app 

:  n/f  :  envstack.  UK  :  env.  IIFi  :  exp.  IIFs  :  eXp.  IIP  :  program.  115  :  env. 

St  {Hy,K)  (ev(app  Fi  F2)kP)  S  ^  st  (HyKyK)  (ev  Fi&ev  Fa&apply&F)  S 

c-apply 

:  UH  :  envstack.  HP  :  program.  115  :  env.  UK'  :  env.  nP/  :  exp.  111^2  :  val. 

st  H  (apply&F)  (5;clo  ^'(lam  F');W2)  ^  st  {Hy,{K'-,W2))  (ev  F[kP)  S 

These  five  statements  can  be  much  easier  represented  in  Elf.  The  reason  is  again  Elf’s 
powerful  type  reconstruction  algorithm.  Here  is  the  representation  in  Elf: 
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c_l  :  St  (H  ;;  (K  ;  W))  (ev  1  &  P)  S 

=>  St  H  P  (S  ;  W) . 

c_^  :  St  (H  ;;  (K  ;  W’))  (ev  (F  ^)  &  P)  S 

=>  St  (H  ;;  K)  (ev  F  &  P)  S. 
c_lam  :  St  (H  ; ;  K)  (ev  (lam  F)  &  P)  S 
=>  St  H  P  (S  ;  do  K  (lam  F)). 
c_app  :  St  (H  ; ;  K)  (ev  (app  FI  F2)  &  P)  S 

=>  St  (H  ; ;  K  ; ;  K)  (ev  FI  &  ev  F2  &  apply  &  P)  S. 
c.apply  :  st  H  (apply  &  P)  (S  ;  do  K’  (lam  FI’)  ;  W2) 

=>  St  (H  ;;  (K’  ;  W2))  (ev  FI’  &  P)  S. 


On  top  of  the  single  step  relation  the  multi  step  relation  is  defined.  It  is  the  transitive  closure 
of  the  single  step  relation.  A  multi  step  is  characterized  by  a  start  state  and  an  end  state.  The 
representation  of  the  multi  step  function  is  as  follows: 


LF 

Elf 

:  state  state  type 

=>*  :  state  ->  state  ->  type. 

The  constructor  objects  are  represented  in  LF: 


LF 

id 

USt  :  state. 

St^St 

- 

USt :  state.  liSt*  :  state.  TLSt”  :  state. 

St  St' 

-^St'^St" 

^  St" 

and  implemented  in  Elf: 


Elf 

id 

:  St 

=>*  St. 

:  St 

=>  St’ 

-> 

St’  =>*  St” 

-> 

St  =>*  St  ”  . 

Next,  we  represent  the  operational  meaning  of  a  de  Bruijn  expression:  Recall,  that  a  de  Bruijn 
expression  E  is  mapped  into  the  state  space  via  the  injection  function  t.  Then  a  trace  is 
calculated  which  ends  in  a  final  state.  This  final  state  is  projected  into  the  space  of  de  Bruijn 
expressions  via  the  function  tt  to  obtain  the  operational  meaning  W  of  E.  ceval  represents  the 
judgement  K  \-  E  =5^  W,  with  K  environment. 


LF 

Elf 

ceval  :  env  exp  val  type 

ceval  :  env  ->  exp  •->  val  ->  type. 
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The  only  constructor  for  ceval  has  the  form: 


LF 

run 

:  UK  :  env.  HE  :  exp.  HW  :  val. 

st  (emptys;; A)  (ev  E'&done)  (empty)  4>  st  (emptys)  (done)  (empty ;W) 
^  ceval  K  EW. 

run  is  implemented  in  Elf  as: 

Elf 

run  :  st  (emptys  ; ;  K)  (ev  E  &  done)  (empty) 

=>*  St  (emptys)  (done)  (empty  ;  W) 

->  ceval  K  E  W. _ 

This  concludes  the  representation  and  implementation  of  the  language  T  and  its  natural  and 
operational  semantics.  As  we  will  see  in  the  next  section,  when  representing  T  in  CIC  and  Coq, 
the  inference  machine  in  Coq  supports  the  user  to  derive  meta  theoretical  result,  for  example 
the  equivalence  theorem  2.2.  We  can  use  LF  as  a  representation  mechanism,  but  Elf  does  not 
support  the  search  for  meta  theoretical  results.  The  representation  of  those  results  in  LF  is 
often  possible,  when  the  proof  is  done  by  structural  induction.  Typically  these  inductive  proofs 
are  done  by  case  distinction  over  some  derivation.  The  theorem  is  represented  as  a  type  and  the 
different  cases  of  the  induction  proof  as  constructors  for  this  type.  We  show  in  the  remainder 
of  this  section,  how  the  theorem  2.2  in  section  2.1  can  be  represented  in  LF  and  implemented 
in  Elf. 

Representation  and  Implementation  of  the  Equivalence  Theorem 

We  remarked  earlier,  that  the  proof  of  lemma  2.1  has  to  be  formalized  a  little  more,  if  it  should 
be  representable  in  a  formal  system.  A  more  rigorous  treatment  of  “How  to  append  multi  step 
transitions”  is  necessary.  Because  of  its  definition  a  multi  step  transition  can  be  extended  by 
prefixing  it  with  a  single  step  transition  which  ends  in  the  start  state  of  the  transition.  For  the 
proof  of  case  ev-app  in  lemma  2.1,  two  multi  step  transitions  have  to  be  concatenated.  The  next 
lemma  guarantees  that  this  kind  of  concatenation  is  always  possible,  i.e  the  concatenation  of 
two  multi  step  transitions  yields  a  new  multi  step  transition,  as  long  as  they  end  and  start  in 
the  same  state,  respectively. 

Lemma  2.7  (append)  For  every  two  traces  T  :  S  ^  S'  and  T'  :  S'  ^  S"  there  exists  a  trace 
R:S4^  S". 

Proof:  Easy  proof  by  induction  over  T: 

Case:  T  =  id.  Therefore  S'  =  S.  Choose  R  =  T' . 

Case:  T  =  A~  T",  with  A  :  S  S'".  By  induction  hypothesis  we  have  a  trace  R'  :  S'"  ^  S". 

Construct  R  =  A~  R'  and  R  :  S  ^  S"  satisfy  the  condition. 


□ 
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This  proof  can  easily  be  represented  in  LF:  First  we  have  to  represent  the  lemma  in  LF:  The 
lemma  is  transformed  into  the  type  append 


LF 

append 

n5t ;  state.  IlSt'  :  state,  USt”  :  state. 

St  St' 

-)■  St'  St" 

St  ^  St" 
type 

which  can  be  represented  in  Elf: 

Elf 

append  :  St  =>*  St^ 

->  St'  =>*  St" 

->  St  =>*  St" 

->  type. 

Both  cases  of  the  proof  are  represented  as  constructors  of  a  dependent  type: 


LF 

apd_id 

list :  state.  USti  :  state.  HC'  :  St  ^  St. 
append  id  C  C 

apd-step 

:  n5t :  state.  IlSti  :  state.  115^2  :  state. 

nc  :  St  4>  Sti.  nc' :  Sti  4>  St2.  UC"  St  Stz.  USts  :  state.  Hi?  :  Sts  ^  St. 
append  C  C  C" 

->  append  {R'  C)  C  {R~  C") 

We  implement  these  constructors  in  Elf: 

Elf 

apd_id  :  append  (id)  C  C  . 

apd_step  :  append  (R  C)  C  (R  C") 

<-  append  C  C  C"  . 

As  we  have  seen  in  section  2.1,  the  concatenation  of  two  multi  step  derivations  is  necessary 
to  prove  the  subcomputation  lemma  2.1,  which  is  necessary  to  proof  the  equivalence  theorem 
2.2.  We  will  now  give  a  representation  of  the  subcomputation  lemma  2.1  in  LF.  The  idea  is  the 
same  as  in  the  append  lemma:  The  lemma  is  represented  as  type  subcomp  and  the  proof  as  the 
object  constructors  for  this  type: 


LF 

subcomp 

UK  :  env.  HE  :  exp.  HW  :  val.  HH  :  envstack.  HP  ;  program.  IIS  :  env. 

feval  K  EW 

->  St  {Hy,K)  (ev  EkP)  S  ^  st  H  P  (5;PF) 

-)■  type 

24 


CHAPTER  2.  MOTIVATION 


Its  implementation  in  Elf  is  similar: 


We  will  now  give  the  representation  of  the  different  cases  of  the  proof  of  lemma  2.1  in  LF: 


_ lUF _ 

SC_1  :  env  ->  val  — >•  envstack  ->  program  env  -i- 

subcomp  evl  (c_l~  id) 

sc  '[■  :  UK  :  env.  IIF  :  exp.  HW  :  val.  Ilia’s  :  envstack.  HP  :  program.  HKi  :  env. 

ni>i  :  feval  KFW.  HCi  :  st  {Ksy,K)  (ev  P&P)  Ki  A  si  KsP  iKi-,W).  val  -)■ 
subcomp  Di  Cl  ^  subcomp  (evf  Di)(c_t  ~  Ci) 

ScJam  ;  env  — >■  exp  —I-  envstack  — >  program  — >  env  ^ 
subcomp  evlam  (cJam'  id) 

SC_app  :  UKs  :  envstack.  UK  :  env.  DP  :  exp.  IIFi  :  exp.  IIP  :  program.  IIK\  :  env. 

TIK2  :  env.  nF2  :  exp.  IIW  :  val.  IIFFi  ;  Vcil. 

UC  :  st  {Ksy,K)  (ev  (app  F  Fi)&P)  Ki  st  Ks  (apply&P)  (jF£'i;c1o  K2  (lam  F2);kF). 
nCa  :  st  {Ksy,{K2\W))  (ev  F2&;P)  Ki  A-stKsP  (Fi;kFi). 
nC  :  st  {Ksy,K)  (ev  (app  F  Fi)&:P)  Ki  ^stKsP 

nCi  :  st  (KsyKyK)  (ev  F&ev  Fi&apply&P)  Ki  4>  st  {KsyK)  (ev  Fi&apply&P)  (F'i;clo  K2  (lam  F2)). 
IIC2  :  st  (KsyK)  (ev  Fi&apply&P)  (/Tiiclo  K2  (lam  Fz))  ^  st  Ks  (apply &P)  (F'i;clo  K2  (lam  Fz);!^). 
nPs  :  feval  {K2-,W)  F2  Wi.UDi  :  feval  K  Fi  W.  UDi  :  feval  K  F  (do  K2  (lam  Fz)). 
append  C  (c_apply~  C3)  C 

append  (c_app~  Ci)  C2  C 
subcomp  Dz  Cz 
— >•  subcomp  D2  C2 
->  subcomp  Di  Cl 
-4  subcomp  (evapp  Dz  D2  Di)  C 


The  result  of  the  transformation  into  Elf  is  somewhat  shorter: 
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Elf 

sc_l 

:  subcomp  (f ev_l)  (c_l  "  id) . 

:  subcomp  (fev_''  Dl)  (c_~  ~  Cl) 

<-  subcomp  Dl  Cl. 

sc_lam 

:  subcomp  (fev^lam)  (c_lam  id)  . 

sc^app 

:  subcomp  (fev_app  D3  D2  Dl)  C 

<-  subcomp  Dl  Cl 
<-  subcomp  D2  C2 
<-  subcomp  D3  C3 
<-  append  (c_app  "  Cl)  C2  C’ 

<-  append  C’  (c_apply  "  C3)  C. 

The  implementation  of  the  equivalence  theorem  follows  now  trivially: 


LF 

cev -complete 

UK  :  env.  UF  :  exp.  UW  :  val. 

feval  K  FW 

ceval  K  FW 

-t  type 

cevc 

UK  :  env.  UF  :  exp.  UW  :  val.  UD  :  feval  K  FW.  . 

nC  :  st  (emptys;;/f)  (ceval  F&done)  empty  ^  st  emptys  done  (empty ;Vr). 

subcomp  D  C 

cev -complete  D  (run  C) 

and  finally  its  implementation  in  Elf  has  the  form: 


_ Elf  _ _ 

cev_complete  :  feval  K  F  W  ->  ceval  K  F  W  ->  type, 
cevc  :  cev_complete  D  (run  C)  <-  subcomp  D  C. 


Execution  in  Elf 

Elf  is  a  logic  programming  language.  Signatures  can  be  executed.  We  show  the  execution  of  the 
proof  of  the  equivalence  theorem.  Assume  we  are  given  three  A-expressions: 

Ml  =  (Ar.  Ay.  (x  y)) 

M2  =  (■^®-  Ay.  x) 

M3  =  (Ax.  x) 

Using  adequacy  we  can  represent  the  three  A-expressions  in  LF : 

Ml  =  (lam  (lam  (app  (1 1)  1))) 

M2  =  (lam  (lam  (1  f))) 

M3  =  (lam  1) 
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Next  we  determine  the  meaning  of  M  =  ((M^i  M2)  M3)  according  to  the  natural  semantics. 
This  is  done  by  asking  the  following  query: 

D  :  (feval  empty  ((Mi  M2)  M3)  X) 

Note,  that  we  use  Mi,  M2,  M3  only  as  abbreviations  for  LF  objects:  This  query  contains  only 
two  free  logical  variables  :  D  and  X.  Elf  answers  to  this  query  with  the  following  result: 

D  :  feval  empty  (app  (app  (lam  (lam  (app  (1  *)  1)))  (lam  (lam  (1  “))))  (lam  1))  X 

Elf  answers  this  query  with  the  following  output: 

X  =  do  (empty  ;  do  empty  (lam  1))  (lam  (1  “)), 

D  = 

fev.app  (fev.app  fev.lam  fev_l  (fev_“  fev_l))  fev_lam 
(f ev.app  f ev_lam  f ev.lam  f ev.lam) . 

yes 

D  corresponds  to  the  proof,  that  the  natural  meaning  of  ((Mi  M2)  M3)  is  {(•;{•,  A  1}),  A  It}. 
The  equivalence  theorem  says  that  the  operational  meaning  must  be  the  same.  Since  we  im¬ 
plemented  one  direction  of  the  equivalence  proof,  we  can  transform  D  into  an  object,  which 
corresponds  to  the  proof  that  this  value  X  is  the  operational  meaning  of  D.  Using  the  sigma 
type  —  available  on  the  Elf  toplevel  —  we  can  easily  formulate  the  query  as 

sigma  [D:  feval  empty  (app  (app  (lam  (lam  (app  (1  “)  1))) 

(lam  (lam  (1  "))))  (lam  1))  X]  cev_complete  D  E. 

The  execution  of  this  program  yields: 

E  = 

run  (c_app  "  c_app  "  c_lam  "  c_lam  "  c.apply  "  c_lam  "  c_lam  "  c.apply 
c_app  ~  c_“  "  c_l  "  c_l  "  c_apply  -  c_lam  "  id) , 

X  =  do  (empty  ;  do  empty  (lam  1))  (lam  (1  ■')). 
yes 

The  variable  E  represents  the  sequence  of  CLS-commands  to  calculate  the  result.  The  variable 
X  represents  the  natural  meaning  of  M.  To  check,  if  this  is  also  the  operational  meaning,  we 
can  derive  it  by  asking  the  following  query:  Note  that  Y  is  the  only  logical  variable. 

run  (c_app  "  c_app  "  c_lam  "  c_lam  ~  c_apply  "  c_lam  “  c_lam  "  c_apply 

c_app  "  c_~  "  c_l  "  c_l  "  c.apply  "  c_lam  "  id) 

:  ceval  empty  (app  (app  (lam  (lam  (app  (1  ")  1)))  (lam  (lam  (1  “))))  (lam  1))  Y 

Elf  verifies  our  expectation: 

Y  =  do  (empty  ;  do  empty  (lam  1))  (lam  (1  “)). 
yes 

This  concludes  the  section  on  LF  and  Elf.  For  more  examples  how  to  use  LF  type  theory 
and  the  programming  language  Elf,  we  refer  the  reader  to  the  literature  [MP91,  Pfe99,  Pfe92, 
Pfe94c,  Pfe94b,  Pfe95]. 


2.3.  CALCULUS  OF  INDUCTIVE  CONSTRUCTIONS  AND  COQ 


27 


2.3  Calculus  of  Inductive  Constructions  and  Coq 

In  this  chapter  we  want  to  present  the  representation  of  the  language  T  in  a  different  type  theory: 
the  calculus  of  inductive  constructions  (CIC).  This  signature  is  then  represented  in  Coq. 

This  section  is  divided  into  two  subsections.  In  the  first  subsection  we  introduce  the  theo¬ 
retical  foundation  of  the  calculus  of  inductive  construction.  Originally,  Coq  was  based  on  the 
“regular”  calculus  of  construction  [CH88,  C"^95,  PM93]  but  the  demand  for  the  notion  of  in¬ 
ductive  types  and  recursion  led  to  an  extension  of  the  calculus  and  to  a  new  version  of  Coq: 
V5.10. 

In  the  second  subsection  we  represent  the  implement  the  language  T  in  Coq.  [C'^95,  LPM94]. 
Since  LF  is  in  some  sense  a  subset  of  CIC,  we  are  not  going  into  a  detailed  representation  of 
the  different  notions  in  CIC,  but  we  reuse  the  results  from  the  last  section:  We  only  show  the 
representation  of  the  example  in  Coq  and  how  to  use  Coq  as  an  assistant.  We  then  will  state 
the  equivalence  theorem  in  Coq  and  prove  it  using  the  inference  component  of  Coq. 

2*3.1  Calculus  of  Inductive  Constructions 

We  give  a  brief  overview  about  the  theoretical  foundations  of  the  calculus  of  inductive  construc¬ 
tions  (CIC).  This  summary  is  based  on  the  work  of  Christine  Paulin-Mohring  about  inductive 
definitions  in  the  system  Coq  [PM93]  and  the  Coq  user  manual  [C+95].  Some  more  work  has 
been  done  in  the  area:  [Hue88,  DH94].  This  subsection  is  divided  into  two  paragraphs.  The  first 
paragraph  treats  the  notion  of  terms,  context,  and  environment.  There  are  some  differences  in 
naming  between  LF  and  CIC.  An  environment  in  CIC  corresponds  roughly  to  a  signature  in  LF. 
The  second  paragraph  presents  the  inference  rules  for  Coq. 

Terms 

The  basic  language  of  CIC  is  the  language  of  terms.  Object,  type  and  kind  level  can  be  recovered 
from  the  notion  of  terms  by  defining  external  judgments.  Terms  are  defined  as  follows: 

Definition  2.8  (Terms)  A  term  t  in  CIC  can  be  formed  as 

t :  :=  c  \  s  \  X  \  {x  :  ti)t2  |  [x  :  ti]t2  \  {h  ^2) 

where  c  is  a  constant  defined  in  the  environment  —  which  be  introduced  later  — ,  s  is  a  sort. 

:  ti)t2  corresponds  to  a  H-abstraction.  [x  :  ti]t2  corresponds  to  a  X-abstraction.  (ti  ^2)  stands 
for  application. 

In  LF  A-expressions  are  defined  on  the  object  level.  The  variable  bound  by  a  A-expression 
has  to  be  of  a  type  A.  In  CIC^  the  A-expression  [x  :  ti]t2  expects  x  to  be  of  type  t.  Note,  that 
[x  :  ti]t2  is  also  a  term  t.  In  LF,  there  are  two  different  notions  of  11- abstraction:  Il-abstraction 
on  the  type  level  and  H- abstraction  on  the  kind  level.  In  CIC  there  is  only  one  11- abstraction, 
written  as  (a:  :  t)t.  Because  of  the  recursive  definition,  there  are  many  different  layers  of  types. 
What  is  worse:  self-referential  constructions  are  possible.  To  avoid  self-referential  types,  the 
notion  of  sorts  is  introduced.  Every  term  must  be  of  a  sort.  Since  sorts  are  terms,  a  well¬ 
ordering  of  sorts  is  required:  This  is  done  by  introducing  the  notion  of  type  universes.  Type 
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universes  are  indexed  by  natural  numbers:  Two  indexed  sorts  are  defined  in  CIC:  Type(i)  and 
TypGset(t).  There  are  two  basic  sorts:  Set  and  Prop. 

The  next  constructs  to  be  defined  are  contexts  and  environments.  Contexts  are  defined 
similar  to  LF:  A  context  is  a  list  of  variable  names  and  their  types.  Since  there  are  no  types, 
variables  have  to  be  typed  with  terms. 

Definition  2.9  (Context)  F  is  a  context  :iff 

r::=-|r,a::t 

The  environment  represents  all  defined  constants.  Constants  can  be  declared  to  be  of  type 
t:  c  :  t.  In  LF  two  different  kinds  of  constants  were  introduced  by  signatures.  Type  constants 
and  object  constants.  Since  there  is  no  distinction  between  types  and  objects  from  a  syntactical 
point  of  view,  there  is  only  one  declaration  of  constants  in  CIC.  Two  non-standard  constructions 
can  be  found  in  an  environment:  the  declaration  Def(r)(c  :=  ti  :  t2)  serves  to  introduce  new 
constants  as  names  for  already  existing  terms.  We  say  constants  are  defined.  The  declaration 
Ind(r)[rp](r/  :  Fc)  serves  to  introduce  inductive  and  mutually  inductive  types.  We  say,  that 
by  this  declaration  constants  are  inductively  defined.  In  this  definition  the  first  parameter  F 
represents  the  context,  in  which  the  inductive  type  is  to  be  defined.  Fp  stands  for  a  set  of 
parameters.  This  allows  the  definition  of  generic  types.  Fj  stands  for  a  context  of  definitions. 
In  a  simple  setting  one  would  expect  F/  to  contain  only  one  element,  namely  the  constant 
to  be  defined.  The  problem  arises  with  mutually  recursive  types.  By  making  F/  a  context 
simultaneous  definitions  of  mutually  inductive  types  are  possible.  The  context  Fc?  represents  a 
set  of  constructors. 

Definition  2.10  (Environment)  E  is  an  environment  :iff 

E  :■.=  ■\E,c:t\  F;,Def(F)(c .-  t-.t)\  Ind(F)[F](F  :  F) 

These  are  the  basic  notions  we  need  to  define  the  judgements  and  inference  rules  in  the  next 
paragraph. 

Rules 

In  this  section  we  will  introduce  briefly  the  judgements  concerning  typing.  We  follow  the  pre¬ 
sentation  in  [C+95],  chapter  6. 

The  first  judgement  is  concerned  with  the  well-formedness  of  an  environment  E  and  a  context 
F  which  possibly  depends  on  E.  This  judgement  has  the  form 

>VJ^(E)[F] 

It  corresponds  to  the  LF  judgement  h  F  ctx. 

The  second  judgement  stands  for  well-typedness.  It  expresses  that  a  term  t  is  of  type  T  with 
t,  T  terms  built  from  constants  and  variables  defined  in  E  and  F.  The  judgment  has  the  general 
form: 
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E[T]  \-t:T 

It  would  be  beyond  the  aim  of  this  chapter  to  give  a  complete  overview  over  all  typing  rules. 
We  will  restrict  ourselves  to  few  of  them.  The  aim  is  to  sketch  the  idea.  For  a  more  complete 
presentation  consult  [C+95]. 

Well-formedness  rules  First  we  present  the  base  case.  The  rule  following  says  that  the 
empty  context  and  the  empty  environment  are  always  well-formed. 

- wfemp 

w.^(D)[D] 

From  the  definition  of  environment  follows,  that  there  are  three  different  ways  to  declare 
constants:  Declaration,  definition  and  inductive  definition.  We  examine  well-formedness  for 
definitions  and  inductive  definitions: 

A  constant  definition  is  of  the  form  Def(r)(c  :=  t  :T).  t^T  are  both  terms,  t  stands  for  an 
object  of  type  T,  Since  t  is  a  term,  it  can  take  different  forms.  There  is  not  one  well-formed 
rule  for  definitions  but  one  for  every  form  of  t.  We  present  the  rule  in  the  case  of  t  being  an 
abstraction. 

WT{E;Bef{r;x  :U){c:=t:  T)]E^)[A]  >VJ^(F;)[r] 

- - - - wfdeflam 

}VF{E-,DBf{T){c  :=  [x  :  U]t :  {x  :  U)T);  [c/(ca;)](F;0)[[c/(ca;)](A)] 

This  rule  reads  as  follows:  If  E  and  F  are  well-formed,  and  the  extension  of  environment  E 
by  a  new  constant  definition  c  :=  t :  T  in  a  new  context  A  is  well-formed,  then  the  environment 
E  extended  by  the  definition  of  c  being  [a:  :  lf\t  of  type  {x  :  U)T  is  well-formed  in  A.  [x  :  Uf\t 
corresponds  to  a  A-abstraction,  [x  :U)T  corresponds  to  the  formation  of  a  Il-type.  Since  c  can 
occur  free  in  the  remaining  environment  E'  and  the  context  A,  all  occurrences  of  c  have  to  be 
replaced  by  c  applied  to  x  in  E'  and  A.  We  remark,  that  t  and  T  can  contain  free  variables 
from  context  F. 

Next  we  address  the  problem  of  well-formedness  of  inductive  definitions.  Before  we  describe 
the  rule,  we  have  to  define  some  more  concepts: 

We  have  seen  in  LF  that  types  and  dependent  types  are  also  “typed” .  These  types  are  called 
kinds.  Since  the  distinction  vanishes  in  Coq  an  auxiliary  notion  has  to  be  introduced,  the  notion 
of  sort  and  arity.  A  term  t  is  and  arity  of  sort  s,  when  it  is  either  a  sort  itself  or  a  Il-closure  of 
this  sort.  Arities  are  therefore  defined  as: 

Definition  2.11  (Arity)  T  is  an  arity  of  sort  s  tiff 

T  =  s  or  T  =  {x  :  U)T'  with  T'  arity  of  sort  s 

In  LF  there  is  the  notion  of  canonical  forms.  Without  going  into  details,  the  canonical  form 
of  a  type  is  always  something  like 


(si  :  Ti)..{xk  :  Tk  )/*!...*„ 
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This  term  is  a  type  of  constructor  of  because  when  instantiated  appropriately,  it  generates  an 
instance  of  type  I  ti,,,tn^  We  define  the  type  of  constructor  more  formally  after  the  following 
example: 

Example  2,12  Consider  the  following  example:  Define  exp  as  a  type  constant  of  sort  type(l). 
Then  the  following  term  is  an  arity  of  sort  type(l)  in  CIC:  {e  :  exp)(u  :  exp)  type(l);  we  can 
define  a  new  type  constant: 

eval  :  (e  :  exp)(u  :  exp)  type(l) 

eval  is  a  dependent  type.  Object  constants  are  also  referred  to  as  constructors  in  CIC.  In  the 
example  evaLs  :  (e  :  exp)(i;  :  exp)(d  :  eval  e  v)  eval  (s  e)  (s  u)  defines  the  constructor  evaLs. 
(e  :  exp)(u  :  exp)(d  :  eval  e  v)  eval  (s  e)  (s  v)  is  a  type  of  constructor  of  eval. 

Here  the  formal  definition: 

Definition  2.13  (Type  of  constructor)  T  is  a  type  of  constructor  of  I  :iff 

T  =  {I  ti  t2  ...  tn)  orT={x:  C/)T'  with  T'  type  of  constructor  of  I 

Finally  we  have  to  define  the  so-called  positivity  condition.  This  condition  says  that 

Definition  2.14  (Positivity  condition)  T  satisfies  the  positivity  condition  with  respect  to  a 
constant  X  :iff 

1,  ifT=^  (r'  ti...tn)  then  X  does  not  occur  in  ti...tn 

2.  ifT^{x:  U)T'  then  U^T^  satisfy  the  positivity  condition  with  respect  to  X 
There  is  also  a  strict  positivity  condition: 

Definition  2.15  (Strict  positivity  condition)  T  satisfies  the  strict  positivity  condition  with 
respect  to  a  constant  X  :iff 

1.  if  T  ^  (r'  ti...tn)  then  X  does  not  occur  in  ti...tn 

2.  ifT  =  {x:  U)T^  then  X  does  not  occur  in  U  and  T'  satisfy  the  positivity  condition  with 
respect  to  X 

With  these  definition  we  can  now  address  the  well-formedness  of  inductive  definitions.  Let 
r,  Fp,  F/,  Tc  be  contexts.  F,  Fp  are  contexts  in  which  the  definition  takes  place,  we  do  not  need 
to  examine  their  structure.  F/  stands  for  the  set  of  defined  inductive  constants  and  their  types: 
F/  :=  ai  :  Ai;  :  Ak-  Tc  is  the  context  which  defines  the  constructors  for  the  inductively 
types:  Tc  :=  ci  :  Ci;  ...Cn  :  Cn-  E  is  the  environment. 

(£^[r;rp]l-A,:s;),=i..fc  {E[r-Tp-,Ti]\-Ci:Si)i=^..^ 

- wfind 

WTiE-,lnd{T)[Tp]{ri  :Tc))[r] 


provided  that 
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•  SjySi  are  sorts 

•  aj^Ci  are  different  names  [j  =  i  =  l..n) 

•  Aj  is  an  arity  of  type  s'-  and  aj  ^  F  U  Fp  U  {j  =  l..fc) 

•  Ci  is  a  type  of  constructor  of  aj  (for  some  j  <  fc),  which  satisfies  the  positivity  condition 

for  and  Ci  ^  F  U  Fp  U  jE^  (i  =  l..n) 

This  rule  reads  as  follows:  To  prove  the  well-formedness  of  an  inductive  definition  we  have 
prove  that  first  the  environment  and  the  context  F  are  well-formed,  that  means  that  the  setting 
in  which  the  definition  takes  place  is  represented  in  CIC.  Second,  it  has  to  be  checked  if  the 
types  newly  introduced  by  the  definition  are  actually  types  in  the  current  setting.  To  do  so,  it 
must  be  checked  that  every  Aj  is  of  sort  s'-,  in  the  context  F;Fp.  Finally  it  has  to  be  checked 
that  the  constructor  types  are  types.  Note  that  since  mutual  dependencies  are  possible,  the 
context  is  extended  by  F/.  We  obtain  F;Fp;Fj  as  actual  context.  The  side  conditions  ensure, 
that  every  declaration  in  Fc;  contributes  to  the  definition  of  a  type  in  F/. 

Rules  for  well  typedness:  As  mentioned  above,  besides  the  well-formedness  judgment,  there 
is  also  a  well-typedness  judgment:  £^[F]  \-  t  :T,  This  judgement  corresponds  to  the  LF  judgment 
F  hs  M  :  A.  It  expresses  the  property,  that  a  term  t  has  type  T  in  an  environment  and  context 
F.  In  the  following,  we  will  present  a  few  selected  inference  rules,  which  should  serve  for  two 
purposes.  First  we  want  to  show  the  relationship  between  well-typedness  and  well-formedness 
and  second  we  want  to  present  the  most  important  features  of  the  semantics. 

The  following  two  rules  show  that  if  an  environment  and  a  context  are  well-formed,  then  it 
is  possible  to  extract  typing  information  from  either  of  them: 

WJ^(F;)[F]  [x  :  T)  G  F  WT{E)[T]  {c:f)eE 

- tpvar  - tpconst 

E[r]  \-x:T  £;[F]  h  c  :  T 

In  the  case  of  abstraction  we  obtain  the  following  rule: 

E[r]  \-{x:T)U:s  E[r;x:  T]Ft:U 

- tplam 

E[T]  h  [a;  :  T]t :  {x  :  T)U 

The  rule  reads  as  follows:  If  a  A-expression  [x  :  T]t  is  to  be  checked  to  be  of  Il-type  {x  :T)U 
then  two  conditions  have  to  be  verified:  First,  {x  :  T)U  must  be  a  type,  i.e.  it  must  be  proven 
to  be  of  a  sort  s.  This  must  be  done,  because  there  are  types  which  look  correct,  but  are  not 
because  of  self-reference.  Second,  t  must  be  of  type  C/,  assuming  x  to  be  of  type  T  in  context  F. 

If  the  rules  are  read  from  top  to  bottom,  we  see  that  the  rules  represent  a  logic:  The  type 
{x  :T)U  can  be  read  as  a  universal  quantified  formula.  When  {x  :T)U  is  a  well-formed  formula, 
and  a  proof  term  for  (a;  :T)U  can  be  derived,  then  we  consider  {x  :T)U  to  be  true.  The  object 
[x  :  T]t  can  therefore  be  interpreted  as  a  program  or  as  a  proof  term  of  the  statement  forall  x 
of  type  Tj  U  holds. 

We  address  the  problem  of  typing  with  inductive  definitions:  Assume  that  we  are  working  in 
a  context  F  with  r  parameters  —  defined  in  the  context  Fp.  The  context  of  inductively  defined 
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constants  is  defined  as  F/  =  ai  :  Ai...ak  :  Ak-  For  every  inductively  defined  constant  we 
define  a  set  of  constructor  terms.  All  these  constructor  terms  and  their  types  are  summarized 
in  the  context  Fc  =  ci  :  Ci;  ...Cn  :  Cn-  Let  Ind(A)[Fp](F/  :=  Fc)  an  inductive  definition  in  the 
environment.  Every  type  Ci  is  a  type  of  constructor  of  an  aj.  The  form  of  Ck  is  implicitly  given 
as 

(x.  :  rf)..(*. :  :  Tg)  a,- 

Variables  introduced  in  the  Il-closure  of  Ck  may  depend  on  types  which  are  defined  in  F/. 
These  variables  are  called  recursive. 

To  perform  a  proof  over  a  mutual  inductively  defined  type,  k  properties  Pi-.Pk  have  to  be 
proven.  The  property  Pi  expresses  something  about  the  inductive  type  Uj.  It  depends  on  all 
arguments  of  type  a,  —  that  is  on  /,•  terms  —  and  on  the  object  the  property  Pi  should 
be  proven  for.  The  destructor  proof  term  of  an  inductive  type  has  the  form: 

{Pi...Pr)  Match  c  with  end 

c  is  assumed  to  be  constructed  by  one  of  the  constructors  Ci  :  Ci  in  Fc-  Therefore,  it  must  be 
of  the  form 

The  fi  represent  proof  objects  of  different  cases  of  a  derived  induction  principle.  We  will  see 
shortly,  how  induction  principles  are  generated.  The  operational  meaning  of  this  proof  term 
is,  that  by  means  of  the  form  of  the  constructor  Cj  the  proof  term  fi  can  be  selected,  and  the 
Match-expression  can  be  reduced.  This  is  called  as  i-reduction.  A  more  detailed  presentation  of 
reduction  is  given  in  [C+Qh]. 

Now  we  address  the  definition  of  the  typing  rule  for  inductive  definitions  by  itself.  Assume 
we  have  a  derivation  of  a  term  of  a  type  defined  within  the  inductive  type: 

E[T][- c:  {auqi...qrti...ts) 

First  we  have  to  show,  that  the  properties  Pj’s  are  well-formed  types,  that  is,  they  must  be  of 
sort  Bj,  for  j  <  k.  We  also  have  to  show  that  the  the  sort  of  (a,  qi...qr)  is  “bigger”  than  the  sort 
Bi.  We  omit  the  details,  the  reader  may  consult  [C'’'95].  Next  we  have  to  find  proof  terms  /,•  for 
every  induction  principle  derived  by  the  constructors  Cj:  The  induction  principles  are  derived 
by  a  rather  technical  construction  of  {c  : 

Definition  2.16  (Induction  principle)  The  induction  principle  is  defined  by 

{c:  {ai  qi...qrti...ti.)}^l:::^^  =  {Pi  c) 

{c:  {x  :  =  {x  :  T){{c  x)  :  x  non-recursive 

{c  :  (a:  :  =  {x  :  T){x  :  ^  {(c  x)  :  x  recursive 

The  first  case  says  that  an  object  of  the  type  A,  is  replaced  by  the  proposition  Pi.  The 
second  case  expresses  that  Il-abstraction  must  be  interpreted  as  universal  quantification  under 
the  assumption  that  x  is  not  recursive.  If  it  is  recursive,  i.e.  its  type  is  defined  by  means  of  F/, 
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the  induction  hypothesis  has  to  be  provided:  this  is  expressed  by  the  third  case.  We  now  sketch 
the  typing  rule  for  inductive  definitions: 


E[T]  b  c  :  (a„  <1.^2)  {E[T]  h  Pj  :  (^[F]  h  /.-  :  {{a  gi-g.)  :  (Q  qi..qr)}^l::^^)i<„ 

£^[r]  h  {Pi..Pk)  Match  c  with  end  :  (Pj,  c) 


tpind 


The  following  example  shows  a  simplified  version  of  tpind: 

Example  2,17  Consider  the  simple  inductive  definition  of  the  natural  numbers:  as  before  we 
define  a  type  exp  :  type(l).  The  inductive  type  of  natural  numbers  has  the  following  form: 


X  :=  lnd(0)[0]((exp  :  type(O))  :=  (z  :  exp;s  :  exp  exp)) 


The  environment  consists  of  exp  :  type(l)  and  X,  The  variable  P  stands  for  the  property  we  try 
to  prove.  It  expects  only  one  argument:  a  natural  number:  P  :  exp  — >  where  s  is  a  sort.  The 
construction  of  the  induction  principles  yields  the  following  result: 


{z  : exp}fxp 
{s  :  exp  ^  exp}fxp 


(Fz) 

{s  :  (e  :  exp)  exp}|’xp 

(e  :  exp){e  :  exp}gx;p  -4  {(s  e)  :  expjg^p 

(e  :  exp)(P  e)  {P  (s  e)) 


Finally  we  describe  a  simplified  version  of  the  typing  rule  for  induction:  tpind.  NotCf  that  E 
contains  only  the  inductive  definition  X  and  F  is  empty.  We  omit  therefore  P[r].  The  version 
of  the  match  rule  for  this  example  has  the  simplified  form: 


h  c  :  exp 


h  P  :  exp  s  fi:  {P  z)  1“  /2  :  (e  :  exp)  {P  e)  [P  [s  e)) 
h  (P)  Match  c  with  /i,  /2  end  :  (P  c) 


tpind 


This  concludes  our  presentation  of  the  calculus  of  inductive  constructions.  In  the  next 
subsection  we  describe  Coq. 


2.3.2  Coq 

In  this  section  we  will  present  an  implementation  of  the  language  T  from  section  2.1  using  Coq. 
As  in  section  2.2.2,  we  implement  de  Bruijn  expressions,  the  notion  of  natural  and  operational 
semantics  and  the  equivalence  theorem.  We  will  use  Coq’s  inference  engine  to  prove  the  append 
lemma  and  the  equivalence  theorem. 


How  to  use  Coq 

Coq  V5.10  is  a  proof  assistant.  It  is  a  direct  implementation  of  CIC.  Coq  has  a  very  sophisticated 
interface  to  the  user.  Because  an  inference  component  is  included  in  the  distribution,  the  com¬ 
mand  language  of  Coq  is  equipped  with  many  features,  which  are  not  used  in  this  presentation. 
There  are  at  least  two  different  ways  to  define  inductive  types:  Inductively  and  recursively.  We 
omit  all  details  of  how  to  use  Coq,  and  refer  the  interested  reader  to  [C+95].  In  the  remainder 
of  this  subsection  we  show  how  to  use  features  of  Coq  when  they  are  needed. 
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Implementation  of  T 

We  implement  de  Bruijn  expressions  by  the  inductive  type  exp.  It  must  be  defined  inductively, 
because  app  depends  on  exp:  Inductive  definitions  are  easily  represented  in  Coq,  Here  is  the 
implementation: 

Inductive 
exp;  Set  := 
top  :  exp 
I  pop  :  exp  ->  exp 
I  app  :  exp  ->  exp  ->  exp 
I  lam  :  exp  ->  exp. 

Environment  and  values  have  to  be  implemented  as  inductive  types,  too.  Recall,  that  the 
notion  of  environment  cannot  be  defined  as  a  stack  of  expressions.  An  environment  is  a  stack 
of  values,  values  are  closures  of  environments  and  expressions.  Both  notions  have  to  be  imple¬ 
mented  by  mutual  induction.  CIC  and  Coq  support  mutually  dependent  inductive  definitions. 
Values  are  implement  as  type  val.  Environments  are  implemented  as  type  env: 

Mutual  Inductive  env:  Set  := 
empty  :  env 

1  cons  :  env  ->  val  ->  env 

with 

val:  Set  := 

do  :  env  exp  ->  val. 

Implementation  of  the  Natural  Semantics 

In  this  paragraph  we  show  the  implementation  of  the  evaluation  judgement  eval  :  env  exp 
val  type.  Recall,  that  the  first  parameter  stand  for  the  actual  environment^.  The  second 
parameter  represents  the  program  to  be  executed.  The  third  argument  represents  the  natural 
meaning  of  the  second. 

The  evaluation  judgment  is  implemented  as  the  inductive  type  eval.  Note  that  in  terms  of 
CIC  eval  is  a  type  constant  of  the  term  env  ->  exp  ->  val  ->  Prop  which  is  an  arity  of  sort 
Prop. 

Inductive 

eval  :  env  ->  exp  ->  val  ->  Prop  := 

ey_top  :  (K:  env)(W:  val) (eval  (cons  K  W)  top  W) 

I  ev_pop  :  (K:  env)(F:  exp)(W:  val)(W^:  val) 

(eval  K  F  W)  ->  (eval  (cons  K  WO  (pop  F)  W) 

I  ev_lam  :  (K:  env)(F:  exp)  (eval  K  (lam  F)  (do  K  (lam  F))) 

I  ev_app  :  (K:  env) (K* : env) (FI:  exp) (FI’:  exp)(F2:  exp)(W:  val)(W2:  val) 
(eval  K  FI  (do  K’  (lam  FI’))) 


^in  the  sense  of  section  2.1 
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->  (eval  K  F2  W2) 

->  (eval  (cons  K’  W2)  FI’  W) 

->  (eval  K  (app  FI  F2)  W) . 

All  four  cases  correspond  directly  to  the  LF  types,  we  introduced  in  section  2.2.2.  It  is 
noteworthy,  that  we  do  not  use  the  additional  expressive  power  of  CIC.  We  represent  LF  types 
in  CIC  by  implementing  them  in  Coq. 

Unfortunately,  Coq  does  not  have  an  appropriate  type  reconstruction  algorithm  which  would 
allow  to  omit  the  Il-closure  around  the  newly  defined  constructor  types.  It  is  easy  to  see,  that 
the  Coq  implementation  of  our  example  lacks  some  elegance  compared  to  the  representation  in 
Elf. 

Coq  offers  a  certain  kind  of  remedy  for  this  problem:  syntactic  definitions.  Syntactic  defi¬ 
nitions  help  to  hide  unnecessary  arguments  of  constants.  Unnecessary  in  a  way  that  Coq  can 
derive  the  parameters  which  have  been  omitted  by  type  inference.  But  one  cannot  omit  11 
closures,  when  implementing  types  in  Coq.  We  implement  the  following  syntactic  definitions. 


Syntactic  Definition  i_ev_top 
Syntactic  Definition  i_ev_pop 
Syntactic  Definition  i_ev_lain 
Syntactic  Definition  i_ev_app 


(ev_top  ?  ?) . 

(ev_pop  ????). 
(ev_lain  ?  ?)  . 

(ev_app  ???????) 


Implementation  of  the  CLS  Machine 

In  the  first  two  paragraphs  we  described  an  implementation  of  T  and  an  implementation  of  the 
natural  semantics  of  T.  We  will  now  focus  on  the  operational  aspects  of  the  language.  Here  is 
the  implementation  of  the  CLS  machine. 

We  need  the  notion  of  environment  stacks.  Environment  stacks  are  represented  as  an  induc¬ 
tive  type  envstack. 

Inductive 

envstack  :  Set  := 

emptys  :  envstack 

I  conss  :  envstack  ->  env  ->  envstack. 

We  have  seen  in  section  2.1,  that  there  are  two  different  versions  of  instructions.  De  Bruijn 
expressions  are  instructions  and  special  keywords  which  can  combine  subcomputations  are  in¬ 
structions. 

The  way  how  we  represent  instructions  is  as  follows.  We  define  a  inductive  type  instruction. 
The  first  kind  of  instructions  is  defined  using  the  embedding  function  ev.  The  instruction  for 
combining  the  two  subcomputation  for  application  is  represented  by  the  constant  apply. 

Inductive  instruction  :  Set  := 
apply  :  instruction 
I  ev  :  exp  ->  instruction. 

A  program  is  now  viewed  as  a  list  of  instructions,  done  signals  the  end  of  a  computation. 
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Inductive 

program:  Set  := 
done  ;  program 

I  consp  :  instruction  ->  program  ->  program. 

A  state  consists  of  a  stack  of  environments  which  stores  backup  copies  of  the  actual  envi¬ 
ronment,  the  program  as  an  instruction  list  and  a  result  stack  —  in  form  of  an  environment:  It 
represents  intermediate  subcomputation  results.  States  are  implemented  as  type  state. 

Inductive  state:  Set  := 

St  :  envstack  ->  program  ->  env  ->  state. 

Implementation  of  T’s  Operational  Semantics 

In  this  paragraph  we  implement  the  notion  of  computation.  For  this  purpose  we  defined  two 
type-families  in  section  2.2.2,  which  represent  single  step  transitions,  and  multi-step  transitions. 
Both  notions  lead  quite  naturally  to  the  definition  of  program  evaluation  with  respect  to  a  CLS 
machine,  that  is  the  operational  semantics. 

The  type  representing  single  step  transitions  need  not  to  be  defined  inductively.  For  the  sake 
of  continuity,  we  implement  it  as  the  inductive  type  single: 

Inductive  single  :  state  ->  state  ->  Prop  := 

c_top  :  (Ks:  envstack) (K:env) (W:val) (P:program) (S:env) 

(single  (st  (conss  Ks  (cons  K  W))  (consp  (ev  top)  P)  S) 

(st  Ks  P  (cons  S  W))) 

I  c_pop  :  (Ks:  envstack) (K: env) (W’ :val) (F: exp) (P: program) (S: env) 

(single  (st  (conss  Ks  (cons  K  W’))  (consp  (ev  (pop  F))  P)  S) 

(st  (conss  Ks  K)  (consp  (ev  F)  P)  S)) 

I  c_lam  :  (Ks:  envstack) (K: env) (F: exp) (P:program) (S: env) 

(single  (st  (conss  Ks  K)  (consp  (ev  (lam  F))  P)  S) 

(st  Ks  P  (cons  S  (do  K  (lam  F))))) 

1  c_app  :  (Ks:  envstack) (K: env) (FI: exp) (F2: exp) (P: program) (S: env) 

(single  (st  (conss  Ks  K)  (consp  (ev  (app  FI  F2))  P)  S) 

(st  (conss  (conss  Ks  K)  K)  (consp  (ev  FI) 

(consp  (ev  F2)  (consp  apply  P)))  S)) 

I  c_apply  :  (Ks:  envstack) (K’ : env) (FI’ : exp) (W2:val) (P:program) (S: env) 

(single  (st  Ks  (consp  apply  P) 

(cons  (cons  S  (do  K’  (lam  FI’)))  W2)) 

(st  (conss  Ks  (cons  K’  W2))  (consp  (ev  FI’)  P)  S)). 

For  better  readability  we  introduce  the  following  syntactic  definitions  for  the  single  step 
constructors. 

Syntactic  Definition  i_c_top  :=  (c_top  ?????). 

Syntactic  Definition  i_c_pop  :=  (c_pop  ??????). 


2.3.  CALCULUS  OF  INDUCTIVE  CONSTRUCTIONS  AND  COQ 


37 


Syntactic  Definition  i_c_lain  :=  (c.lam  ?????). 

Syntactic  Definition  i_c_app  :=  (c_app  ??????). 

Syntactic  Definition  i_c_apply  :=  (c^apply  ??????). 

The  m.ulti  step  transition  relation  is  only  the  transitive  closure  of  the  single  step  transition 
relation:  It  is  implemented  in  Coq  as  an  inductive  type  multi.  It  must  be  represented  as  an 
inductive  type  because  consm  depends  on  multi. 

Inductive  multi  :  state  ->  state  ->  Prop  :  = 
id  :  (St :  state)  (multi  St  St) 

1  consm  :  (St : state)  (St state)  (St ’’ :state)  (single  St  StO 
->  (multi  St’  St’’) 

“>  (multi  St  St’’). 

This  definition  requires  again  some  syntactic  definitions: 

Syntactic  Definition  i_id  :=  (id  ?) . 

Syntactic  Definition  i_consm  :=  (consm  ?  ?  ?) . 

Finally  we  can  define  the  operational  meaning  of  a  de  Bruijn  expression:  we  implement  the 
inductive  type  ceval,  which  depends  on  the  actual  environment,  the  expression  which  is  to  be 
evaluated.  The  result  is  a  value.  Note,  it  is  not  necessary  to  define  ceval,  inductively. 

Inductive  ceval  :  env  ->  exp  ->  val  ->  Prop  := 
run  :  (K:env) (F:exp) (W:val) 

(multi  (st  (conss  emptys  K)  (consp  (ev  F)  done)  (empty)) 

(st  (emptys)  (done)  (cons  empty  W))) 

“>  (ceval  K  F  W) , 

Here  again,  we  need  to  introduce  a  syntactic  definition. 

Syntactic  Definition  i^run  :=  (run  ?  ?  ?) . 

Implementation  of  the  Equivalence  Theorem 

In  this  paragraph  we  derive  the  one  direction  of  the  equivalence  proof  with  support  of  the 
inference  engine  of  Coq.  We  first  state  and  prove  the  append  lemma,  which  is  needed  in  the 
proof  of  the  equivalence  theorem. 

The  definition  of  the  type  multi  is  based  on  the  idea,  that  a  trace  is  defined  if  and  only  it  is 
either  empty  or  the  first  step  of  the  trace  is  a  single  step  transition  and  the  rest  is  a  trace.  The 
append  lemma  guarantees  that  two  traces  can  be  concatenated. 

The  formulation  of  the  lemma  is  as  follows. 

Lemma  append:  (A:state) (B: state) (C: state) 

(multi  A  B)  ->  (multi  B  C)  ->  (multi  AC). 
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The  proof  of  the  theorem  is  straightforward.  The  only  noteworthy  step  is  the  application  of 
the  consm  constructor.  Here  the  intermediate  state  has  to  be  provided  by  the  user.  The  proof 
in  Coq  has  the  following  form. 

Intros  A  B  C  H. 

Elim  H. 

Auto . 

Intros .  Apply  consm  with  St ’ .  Auto . 

Auto. 

Qed. 

The  command  Intros  applies  four  times  the  H-introduction  rule.  Elim  applies  a  destructor 
rule  to  the  inductively  defined  (multi  A  B).  For  a  more  detailed  description  of  the  commands 
consult  [C'*'95]. 

The  equivalence  theorem  states  the  following  fact:  When  a  de  Bruijn  expression  F  evaluates 
to  a  value  W,  in  context  K,  then  there  is  a  computation  trace  of  a  CLS  machine,  i.e.  K  h 
F  W.  We  need  a  stronger  induction  hypothesis,  so  we  proved  the  subcomputation  lemma 
2.1  in  section  2.1.  Here  is  the  formulation  of  this  lemma: 

Lemma  subcomp: 

(K:env)  (F:exp)  (W:val) 

(eval  K  F  W)  ->  (Ks : envstack)  (P:program)  (S:env) 

(multi  (st  (conss  Ks  K)  (consp  (ev  F)  P)  S) 

(st  Ks  P  (cons  S  W))). 

To  make  the  proof  easier,  we  provide  the  constants  to  the  system,  which  should  be  automat¬ 
ically  applicable.  We  do  this  by  using  the  hint  command  of  Coq. 

Hint  c_top  c_pop  c_lam  c_app  c_apply  id. 

Here  is  the  proof.  The  proof  again  is  straightforward.  The  problem  of  finding  the  proof  fast 
lies  in  the  hints  the  user  has  to  give  to  the  system.  As  the  proof  shows,  9  different  states  have 
to  be  calculated  by  hand  and  provided  to  system.  This  makes  the  proof  quite  complex. 

Intros  K  F  W  H.  Elim  H. 

Intros.  Apply  consm  with  (st  Ks  P  (cons  S  WO)).  Auto. 

Auto . 

Intros.  Apply  consm  with  (st  (conss  Ks  KO)  (consp  (ev  FO)  P)  S) .  Auto. 

Auto . 

Intros.  Apply  consm  with  (st  Ks  P  (cons  S  (do  KO  (lam  FO)))).  Auto. 

Auto . 

Intros . 

Apply  consm  with  (st  (conss  (conss  Ks  KO)  KO) 

(consp  (ev  Fl)  (consp  (ev  F2)  (consp  apply  P)))  S)  .  Auto. 
Apply  append  with  (st  (conss  Ks  KO)  (consp  (ev  F2)  (consp  apply  P)) 
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(cons  S  (do  K’  (lam  FI’)))).  Auto. 

Apply  append  with  (st  Ks  (consp  apply  P) 

(cons  (cons  S  (do  K’  (lam  FI’)))  W2)).  Auto. 

Apply  consm  with  (st  (conss  Ks  (cons  K’  W2))  (consp  (ev  FI’)  P)  S) .  Auto. 
Apply  append  with  (st  Ks  P  (cons  S  WO)).  Auto. 

Auto. 

Qed. 

In  section  2.1  we  saw,  that  the  proof  of  one  direction  of  the  equivalence  theorem  is  a  direct 
consequence  of  the  subcomputation  lemma: 

Theorem  completness  : 

(K:env)  (F:exp)  (W:val) 

(eval  K  F  W)  ->  (ceval  K  F  W) . 

Hint  run  subcomp. 

Qed. 

This  concludes  the  presentation  of  the  T  in  Coq.  In  the  next  chapter  we  will  define  the  meta 
logical  framework  MLF,  which  can  be  used  as  the  theoretical  foundation  of  a  proof  development 
environment  based  on  LF. 

2.4  Result 

In  this  chapter  we  showed,  that  Elf  is  a  logic  programming  language  based  on  LF.  It  does  not 
offer  any  mechanism  to  use  it  as  an  automated  theorem  proving  system.  On  the  other  hand  we 
showed,  that  Coq  performs  very  good  in  automated  theorem  proving  issues,  but  it  is  too  powerful 
to  be  used  as  a  programming  language.  The  aim  of  this  thesis  is  to  propose  a  system,  which 
equips  Elf  with  an  appropriate  meta  logic.  This  meta  logic  should  be  so  powerful,  that  proofs 
by  induction  can  be  handled  easily.  It  should  not  be  too  powerful  to  prevent  inconsistencies. 

We  remarked  that  LF  is  not  as  powerful  as  CIC.  For  a  more  detailed  investigation  see  [Bar92]. 
The  representation  of  the  example  from  section  2.1  in  Coq  followed  closely  the  representation 
in  LF. 

In  the  next  chapter  we  will  present  such  a  meta  logic  for  the  Horn  fragment  of  LF:  It  is 
called  MLF.  MLF  can  be  seen  as  a  sequent  calculus  on  top  of  LF.  It  supports  reasoning  over  LF 
signatures.  Induction  as  a  fundamental  proof  technique  is  represented  by  a  special  rule,  the  case 
rule.  In  contrast  to  the  approach  realized  in  CIC,  we  omit  the  generation  of  induction  principles. 
Instead  we  allow  recursion  which  usage  is  restricted  to  avoid  the  generation  of  non  total  proof 
objects.  We  believe  that  the  explicit  generation  of  induction  principles  limits  the  power  of  the 
inductive  component,  and  we  also  believe  that  by  omitting  these  principles  the  expressive  power 
of  the  meta  logic  is  increased. 

A  interactive  proof  system  for  MLF  on  top  of  LF  is  not  yet  implemented.  We  show  in  chapter 
5  how  MLF  can  be  used  to  prove  the  meta  theoretical  results. 
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In  this  chapter  we  introduce  MLF.  MLF  is  a  meta  logic  which  allows  reasoning  about  the  Horn 
fragment  of  the  logical  framework  LF.  The  proof  theory  of  MLF  is  given  as  an  intuitionistic 
sequent  calculus  [Gal93],  equipped  with  rules  to  reason  about  LF  types  and  LF  objects.  Since 
LF  is  very  frequently  used  to  represent  deductive  systems,  induction  is  a  major  concept  in 
MLF.  The  notion  of  induction  differs  from  others  [C“^95].  A  standard  approach  would  be  to 
introduce  induction  in  form  of  induction  principles.  An  induction  principle  corresponds  to  proof 
by  structural  induction  over  the  structure  of  a  term.  The  main  disadvantage  of  the  generation 
of  induction  principles  is  the  inflexibility  which  arises  because  induction  hypothesis  can  only  be 
applied  to  direct  subterms.  A  lot  of  proofs  can  only  be  done  by  complete  structural  induction: 
the  induction  hypothesis  must  be  applicable  to  any  smaller  term  according  to  a  well-founded 
ordering.  If  this  kind  of  induction  is  used,  the  proof  of  being  “smaller”  has  to  be  performed 
within  the  meta  logic. 

The  rules  of  MLF  are  equipped  with  proof  terms.  This  is  the  motivation  to  prove  the 
“smaller”  relation  on  the  basis  of  the  proof  terms  —  outside  of  MLF.  Hence  we  define  a  rule 
which  provides  the  induction  hypothesis  with  this  requirement  formulated  as  a  side  condition. 
The  second  important  rule  to  complete  the  treatment  of  induction  is  the  case  distinction  rule. 
This  rule  allows  to  discriminate  between  dilferent  forms  of  LF-objects.  Similar  ideas  can  be 
found  in  [MN94]. 

This  chapter  is  organized  as  follows:  In  the  first  section  we  introduce  the  language  of  MLF, 
the  Horn  fragment  of  LF  and  proof  terms.  We  introduce  basic  notions  like  substitution  and 
unification.  In  the  second  section  we  introduce  the  inference  rule  system  for  MLF  and  in  the 
last  we  demonstrate  how  to  use  it. 


3.1  Language 

In  this  section  we  define  the  language  of  MLF.  The  calculus  incorporates  two  levels  of  reasoning. 
On  the  meta  level  we  reason  about  formulas  and  proof  terms,  on  the  LF  level  about  types  and 
objects  of  the  Horn  fragment  of  LF  type  theory. 

MLF  is  restricted  to  the  Horn  fragment  of  LF  because  of  these  two  levels  of  reasoning: 
Because  of  the  strict  distinction  between  both  levels,  we  define  two  totally  distinct  variable 
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concepts:  One  variable  concept  for  the  meta  level  and  one  variable  concept  for  the  LF  level.  As 
we  will  see,  it  is  impossible  to  construct  objects  for  a  function  type  in  LF  in  general.  We  will 
discuss  this  problem  in  more  detail,  when  we  describe  the  typing  rules  for  MLF. 

When  we  reason  in  MLF,  we  will  keep  track  of  a  set  of  assumptions  and  a  goal,  for  which  a 
proof  term  is  to  be  constructed.  Since  function  types  of  LF  cannot  occur  as  a  goal,  the  notion 
of  types  in  the  Horn  fragment  of  LF  is  split  into  two  notions:  LF  types  which  can  occur  as 
assumptions,  and  LF  types  which  can  occur  as  goals. 

The  distinction  of  two  different  LF  types  gives  reason  to  discriminate  over  MLF  formulae.  We 
make  a  difference  between  formulae  which  occur  as  assumptions  which  we  called  data  formulae^ 
and  formulae  which  occur  as  goals  which  we  call  goal  formulae.  We  address  now  the  exact 
characterization  of  the  meta  level  and  the  LF  level. 

Meta  level: 

The  meta  level  stands  for  reasoning  about  LF  types  and  LF  objects.  The  meta  level  by  itself 
consists  of  two  different  layers.  There  are  formulae^  which  represent  properties  of  LF  types  and 
LF  objects  on  the  meta  level.  Furthermore,  there  are  proof  terms,  which  correspond  to  proofs 
of  formulae.  A  proof  term  captures  the  computational  content  of  a  proof.  It  are  called  program. 

In  the  next  paragraph  we  will  introduce  the  LF  level.  Since  LF  types  and  LF  objects  are  the 
entities  which  should  be  reasoned  about,  there  must  be  an  interface  between  the  meta  level  and 
the  LF  level:  We  define  therefore  a  non-standard  kind  of  formula  which  represents  LF  types. 

If  A  is  an  LF  type,  then  A  denotes  the  corresponding  formula.  The  function  ~  is  an 
embedding  function  of  LF  types  into  formulae. 

A  different  connection  has  to  be  established  between  LF  objects  and  programs.  LF  objects 
are  considered  as  proofs  for  embedded  LF  types.  If  M  is  an  LF  object,  M  is  the  corresponding 
program. 

The  motivation  for  this  construction  is  as  follows:  In  general  in  logic  a  formula  is  provable 
if  a  derivation  can  be  found  using  a  complete  and  sound  calculus.  In  this  general  case,  there 
are  only  two  possibilities:  A  formula  is  provable  or  not.  The  demands  towards  MLF  are  much 
more  general  in  this  respect.  MLF  should  provide  an  answer  for  the  question:  Why  is  a  formula 
provable?  This  immediately  raises  the  question  what  it  means  for  an  embedded  LF  type  to  be 
true:  An  embedded  LF  type  is  considered  to  be  true  if  and  only  if  it  is  inhabited.  The  question 
for  the  Why  can  be  answered  by  pointing  to  the  witness  object. 

Let  M  be  a  proof  object  which  witnesses  A  to  be  inhabited.  We  write  M  as  the  representation 
of  the  LF  object  as  a  program:  M  is  a  proof  of  A  if  and  only  if  M  is  an  object  of  type  A.  A 
picture  can  make  this  more  clear: 

Programs  Formulae 

— t  — t 

LF  objects  LF  types 

The  variable  concept  on  the  meta  level  and  the  variable  concept  on  the  LF  level  are  two 
totally  different  concepts.  They  should  not  be  mixed  up.  We  denote  the  set  of  meta  variables 
with  X.  To  make  the  distinction  between  meta  variables  and  object  variables  clearer,  we  denote 
meta  variables  always  with  uppercase  letters  and  object  variables  always  with  lowercase  letters. 
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We  define  now  the  meta  logic.  As  mentioned  earlier,  the  meta  logic  is  based  on  first  order 
intuitionistic  logic,  taking  into  account  the  Horn  fragment  of  the  underlying  type  theory  LF.  The 
language  of  formulae  contains  universal  and  existential  quantification,  conjunction,  disjunction 
and  implication.  1  stands  for  “True”.  First  we  define  the  most  general  notion  of  formula,  we 
call  it  F: 

Formulae:  F  :  :=  VA  :  A.F  |  3A  :  A.F  |  Fi  A  F2  |  Fi  V  F2  |  Fi  F2  |  1  1  A 

Then  we  restrict  this  concept  to  the  restricted  versions  briefly  introduced  above:  goal  formu¬ 
lae  and  data  formulae:  The  notion  of  LF  type  is  divided  into  types  which  can  occur  as  goal  types 
Ag  and  types  which  can  occur  as  a  data  types  Ad -The  goal  formulae  are  defined  as  follows: 

Goal  Formulae:  G  :  :=  VX  :  A^.G  j  3X  :  Ag-G  |  Gi  A  G2  |  Gi  V  G2  |  F>  G  |  1  |  A^ 
and  the  data  formulae  are  defined  as 

Data  Formulae:  D  :  :=  VX  :  Ag-D  |  3A: :  Ad-F  |  F>i  A  Dj  |  F>i  V  D2  |  G  D  |  1  |  A^ 

Universal  quantification,  existential  quantification,  and  implication  have  to  be  defined  this 
way:  this  will  become  evident,  when  we  present  the  typing  rules  for  programs.  Data  formula 
can  only  occur  as  assumptions  from  which  a  goal  formula  is  to  be  proven.  Without  going  into 
details  here,  there  will  be  some  rules  in  the  inference  system  of  MLF  which  have  to  be  restricted 
to  certain  formulae  which  exist  in  the  intersection  of  goal  formulae  and  data  formulae:  One  rule 
for  example  will  allow  the  actual  goal  to  be  transformed  into  an  assumption  —  this  is  necessary 
to  provide  induction  hypothesis  as  we  will  discuss  later.  Therefore  we  have  to  characterize 
an  intersection  set  of  goal  and  data  formulae.  Since  goal  formulae  and  data  formulae  may  be 
constructed  from  goal  types  and  data  types,  a  notion  of  type  must  be  established  which  describes 
the  set  of  LF  types,  which  are  simultaneously  representable  as  data  types  and  goal  types:  This 
set  is  called  Ap.  It  turns  out,  that  these  are  exactly  the  atomic  types.  It  is  now  straightforward 
to  define  the  language  G  of  core  formulae,  which  are  simultaneously  goal  formulae  and  data 
formulae: 

Core  Formulae:  G  :  :=  VX  :  Ap.C  \  3X  :  Ap.C  |  Gi  A  G2  |  Gi  V  G2  |  Gi  ^  G2  |  1  |  A^ 

All  inference  rules  in  MLF  are  decorated  with  proof  terms.  The  inference  rules  concerning 
the  provability  judgment  in  MLF,  which  will  be  introduced  in  the  next  section,  are  decorated 
with  proof  terms  which  we  call  programs  —  to  reflect  the  computational  character: 

Programs:  F  :  :=  X\  (unit)  1  (rec  X.P)  \  (fun  X.P)  \  (pair  Pi  F2)  |  (ini  F) 

I  (inr  F)  |  (inx  Fi  F2)  |  (let  Fi  be  X  in  F2)  |  (app  Fi  F2)  |  M 
i  case  F  of  ^ 

^  g(l)  PU) 

^  1  gW  ^  fW  ) 

The  case  construct  is  defined  using  patterns  Q.  Ideally  we  try  to  achieve  every  possible 
program  to  serve  as  a  pattern.  We  assume  programs  to  be  closed  with  respect  to  LF  variables. 
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Therefore  we  have  to  restrict  the  set  of  possible  patterns,  to  guarantee  this  assumption  to  hold: 
In  the  following  we  define  patterns  on  the  program  level.  The  variable  N  refers  to  a  pattern  on 
the  object  level  which  we  will  define  below. 

Program  Patterns:  Q  :  :=  (unit)  |  (pair  Xi  X2)  \  (ini  X)  \  (inr  X)  |  (inx  Xi  X2)  \  'N 

LF  level: 

MLF  is  designed  to  reason  about  LF.  Therefore  we  have  to  distinguish  quite  carefully  between  the 
LF  level  and  met  a  level.  We  address  now  the  definition  of  the  LF  level.  We  distinguish  between 
objects,  types  and  kinds.  Note,  that  the  Horn  fragment  of  LF  type  theory  is  a  straightforward 
restriction  of  LF  type  theory.  As  introduced  in  section  2.2.1  we  use  x  to  denote  LF  variables, 
c  to  denote  object  constants  and  a  to  denote  type  constants.  The  object  level  of  LF  has  to  be 
extended  with  a  projection  function:  Programs  can  be  used  as  objects.  Consider  the  following 
short  example: 

Example  3.1  Let  S  be  an  LF  signature  defining  two  type  constants:  the  constant  exp  which 
stands  for  natural  numbers  and  the  constant  val  which  represents  a  judgment  saying  that  an 
expression  is  a  value,  val  is  a  dependently  typed  constant.  E  also  defines  the  object  constants 
zero  z  and  the  successor  function  s.  See  [Pfe92]  for  more  detail.  Assume  that  there  is  a  meta 
variable  X  which  represents  a  proof  term  for  the  formula  This  reads  as:  X  stands  for  a 
witness,  that  is  inhabited,  moreover  if  represents  a  proof  object  of  the  form  M . 

The  objective  is  to  express  the  following  statement  on  the  meta  level:  if  X  is  an  expression 
and  X  is  a  value  then  the  successor  of  X  is  also  a  value.  Assume  we  have  X ,  a  proof  of  the 
formula  Wp.  How  can  we  express  the  second  assumption,  that  X  is  a  value?  On  the  LF  level  it 
is  quite  clear  how  to  do  it:  If  x  is  a  object  and  y  is  an  object  of  (val  x)  then  we  can  find  a  z  in 
(val  (s  a:)).  The  direct  approach  to  represent  ^X  is  a  value^  by  (val  X)  does  not  work:  X  is  not 
an  object.  Since  an  object  is  expected  at  this  position,  X  has  to  be  converted  into  an  object:  We 
write  2L  to  express  this  conversion:  The  form  of  the  second  assumption  is  therefore  (val  X) . 

Finally,  we  can  specify  the  goal,  namely  that  the  successor  of  X  is  also  a  value.  Here  we 
transform  the  program  X  on  the  object  level  with  the  projection  function  and  apply  the  constant 
s  to  construct  the  successor.  We  then  have  to  prove  that  a  proof  object  can  be  constructed  for 
(val  s  20  • 

This  example  motivates  the  definition  of  the  projection  operator  It  suggests,  that  it 
should  be  enough  to  restrict  the  domain  of  to  meta  variables.  We  will  see,  that  this  might 
not  be  enough:  By  substitution  application  meta  variables  can  be  instantiated  with  whole 
programs.  That  means  an  object  of  the  form  A  may  be  instantiated  to  P_  under  a  substitution 
which  replaces  X  by  P.  We  examine  this  issue  further  in  section  4.1.  With  the  presence  of  the 
projection  function,  the  diagram  from  above  can  be  refined: 

Programs  Formulae 


LF  objects 


LF  types 
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Note  that  is  the  inverse  operator  to  •  on  objects  of  the  LF  level:  For  every  LF  object  M 
we  expect  (M)  =  M. 

We  will  now  define  the  language  for  kinds  and  types.  The  problem  of  the  projection  operator 
will  be  revisited  when  we  define  the  language  of  objects.  In  LF  types  are  defined  as 

Types:  A  :  :=  a  \  {A  M)  \Ilx  :  Ai.  A2 

In  the  description  of  the  the  meta  level,  we  introduced  the  type  Ap,  which  is  simultaneously 
a  goal  type  and  a  data  type.  Ap  is  defined  to  represent  atomic  types.  We  write  Aq  for  goal 
types  and  Ad  for  data  types.  The  difference  between  Aq  and  Ad  is,  that  no  E-types  are  allowed 
in  the  definition  of  Aq.  Aq  is  therefore  completely  subsumed  by  A^.  We  define  Aq  also  as  a 
set  of  all  atomic  types.  Ad  is  defined  to  be  either  an  atomic  type  or  an  E-type: 

Atomic  types:  Ap  :  :=  a  |  (Ap  M) 

Goal  types:  Aq  :  :=  Ap 

Data  types:  Ap  :  :=  Ap  |  Ea;  :  Aq-  Ad 

E-types  can  be  only  defined  as  data  types.  The  corresponding  kind  must  have  the  same  param¬ 
eter  type  as  the  E-type:  Aq". 


Kinds:  K  :  :=  type  |  Ea;  :  Aq.  K 

The  following  lemma  states  that  it  is  justified  to  call  Ap,  Aq  and  Ap  types: 

Lemma  3.2  (Restricted  types  are  types)  Every  atomic  type  is  a  type,  every  goal  type  is  a 
type  and  every  data  type  is  a  type. 

Proof:  Structural  induction.  □ 

This  lemma  can  be  used  to  prove  that  G,  D  and  C  are  formulae: 

Lemma  3.3  (Restricted  formulae  are  formulae)  Every  goal  formula  is  a  formula,  every 
data  formula  is  a  formula  and  every  core  formula  is  a  formula. 

Proof:  Structural  Induction.  Use  lemma  3.2  □ 

We  address  now  the  definition  of  the  language  of  objects:  It  is  noteworthy  to  point  out 
that  the  projection  operator  collapses  the  strict  distinction  between  meta  level  and  LF  level:  So 
far  goal  formulae  only  depend  on  LF  types.  LF  types  depend  only  on  LF  objects  because  of 
dependent  types.  LF  objects  can  depend  on  programs  because  of  the  projection  operator.  This 
implies  that  formulae,  types,  and  objects  may  depend  on  programs  and  programs  may  depend 
on  objects  again.  Therefore,  the  definition  of  objects  as 

Objects:  M  :  :=  P  |  a:  |  c  |  Ao;  :  Aq.  M  |  (Mi  M2) 

is  too  general.  Figure  3.1  visualizes  the  dependencies  between  objects.  The  dashed  arrows  show 
that  programs  can  depend  on  objects,  objects  can  depend  on  programs  etc.  The  objective  is 
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Objects 
Pure  Objects 


to  remove  these  dependencies.  To  restrict  the  dependencies,  objects  should  only  depend  on 
program  variables,  not  on  programs  by  themselves.  The  solid  arrows  in  figure  3.1  show  this. 
Objects  which  satisfy  this  condition  are  called  pure  objects: 

Pure  Objects:  M  :  :=  X_  \  x  \  c  \  Xx  :  Aq-  M  \  (Mi  M2) 

Note,  that  x  is  an  object  variable,  defined  by  the  LF  level  variable  concept.  The  motivation 
for  the  word  pure  results  from  the  avoidance  of  mutual  dependencies  between  object  and  meta 
level.  We  call  types  Ap,  Ag,  Ad  pure  types  and  kinds  K  pure  kinds  if  the  objects  on  which  they 
depend  are  pure  objects.  Programs  P,  which  depend  on  pure  objects  all  called  pure  programs 
and  similarly  formulae  G,  P,  F,  which  depend  on  pure  types  are  called  pure  formulae. 

Lemma  3.4  Every  pure  object  is  an  object ,  every  pure  type  is  a  type  and  every  pure  kind  is  a 
kindj  every  pure  program  is  a  program^  every  pure  formula  is  a  formula. 

Proof:  follows  easily  from  the  definition.  □ 

The  distinction  between  pure  and  impure  objects  is  not  trivial.  There  are  objects  which  are 
not  pure:  eval  {funX,  X)(s  F)  Vi  for  example  is  equivalent  to  eval  {s  F)  F  with  a  suitable 
reduction  ordering.  Reduction  may  turn  non  pure  programs  into  pure  ones. 

In  the  example  3.1  we  mentioned,  that  substitution  may  destroy  the  purity  property.  In  the 
next  section  we  develop  the  theory  of  MLF  for  objects  —  not  necessarily  pure  —  in  section  4.1 
we  discuss  the  effects  of  restricting  MLF  to  pure  objects. 

An  even  more  restricted  notion  of  object  serves  as  pattern  for  the  case  program  we  introduced 
on  the  meta  level.  We  call  this  patterns  object  patterns  N,  It  must  be  prevented  that  during 
a  matching  operation  programs  with  free  LF  variables  are  matched  with  meta  variables.  The 
matching  operation  will  be  defined  in  section  3.1.3.  Consequently  object  patterns  may  not 
contain  free  LF  variables,  or  A-abstractions.  We  also  restrict  the  use  of  constants  in  so  far  as  an 
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object  pattern  may  only  consist  of  one  constant  c  applied  to  a  set  of  projected  meta  variables. 
The  formal  definition  is  as  follows: 

Object  Patterns:  N  :  :=  c  |  (iV  X) 

As  introduced  in  [HHP87,  HHP93]  LF-signatures  are  used  to  define  object  constants  and 
type  constants.  The  syntactic  definition  of  a  LF-signature  is  as  follows: 

Signature:  E  :  :=  •  |  S,  c  :  Ad  |  S,  a  :  A 

It  is  a  slightly  different  definition  from  the  one  we  introduced  in  section  2.2.1.  From  now  on, 
we  always  consider  S  to  be  given  and  fixed. 

3, 1 .1  Substitutions 

In  the  following  we  introduce  the  concept  of  substitution.  We  are  dealing  with  two  different  kind 
of  substitutions.  One  kind  of  substitution  replaces  meta  variables  by  programs  —  this  is  called 
a  meta  level  substitution  —  the  other  object  variables  by  objects  —  this  is  called  an  object  level 
substitution. 

We  denote  the  empty  substitution  with  and  the  constructor  with  ‘V’-  Meta  level  substi¬ 
tutions  are  denoted  with  0,  object  level  substitutions  with  6. 

Meta  level  substitution:  0  :  *1  Q^P/X 

Object  level  substitution:  0  :  := 

Next,  we  define  the  union  operator  for  substitutions,  which  should  not  be  mistaken  for 
concatenation.  Let  0  =  •^Pi/Xi..Pn/Xn  and  $  =  the  Xi^s  and  the  Ij’s  not 

necessarily  distinct.  Then  we  define 

0U$  :=  ^,PllX,..PnlXnMYl^^Qm/Ym 

We  remark  that  U  is  not  a  commutative  operation.  This  will  become  evident  when  we  formalize 
substitution  application. 

The  union  operator  is  defined  for  two  object  level  substitutions  0  =  *,  a^nd 

=  •,  Ni/yi..Nm/ym^  the  Xi^s  and  the  yj’s  not  necessarily  distinct  as 

0  U  '0  :=  •,  Ml/ xi..Myi/ x^ii  Xi/ yi..NYn/ ym 

Substitution  application  on  the  meta  level  has  the  form  [0]('))  substitution  application  on 
the  object  level  has  the  form  {^}(-)*  From  now  on  we  omit  the  leading  of  non-empty 
substitutions. 

Concatenation  of  substitutions  is  defined  like  function  application.  Two  application  of  sub¬ 
stitutions  are  concatenated,  by  applying  one  after  the  other.  We  have  to  define  concatenation 
for  meta  level  substitutions 

Definition  3.5  (Concatenation  for  meta  substitutions)  Let  a  be  a  program^  formula,  ob¬ 
ject  or  type.  Let  0,^  substitutions:  We  define  0o^(a)  :=  [0]([^](<^))» 
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and  for  object  level  substitutions: 

Definition  3.6  (Concatenation  for  object  substitutions)  Let  a  be  object,  type  or  kind. 
Let  9,  Ip  substitutions:  We  define  9  o  ip{a)  := 

This  definition  is  different  from  the  one  Wayne  Snyder  [Sny91]  uses  in  his  book:  He  defines 
0  o  $(a)  as  $(0(0!)).  Since  this  change  of  order  can  easily  lead  to  confusion  we  decided  the 
order  to  remain  invariant. 


Meta  level  substitutions 

Since  programs,  formulae,  objects,  types,  and  kinds  can  depend  on  meta  variables,  the  notion 
of  substitution  has  to  be  extended  to  all  of  them.  We  obtain  five  different  judgments,  three  of 
them  serve  to  replace  meta  variables  in  objects,  types,  and  kinds,  the  other  two  serve  to  replace 
meta  variables  in  programs  and  formulae. 


[0]object(M) 

=  M 

[®]type(^) 

=  A 

[0]kind(^) 

=  K 

[0]  program  {P) 

=  P 

[0]  formula  (G) 

=  G 

We  first  define  meta  level  substitution  on  the  LF  level:  [0]object)  [0]type  and  [0]kind-  We  will 
give  the  definitions  in  form  of  equations: 

Definition  3.7  (Substitution  on  objects) 


[0]o6iec<(£) 

[0]o6ject(®) 
[0]o5jerf('^l  ^^2) 

[0]o6jerf(^®  :  A.  iVf) 


fM  ifP  =  XandQ{X)  =  M 

(  [Qjprogrom  (-P)  else 
X 

([0]oi>iect(-^l)  [Q]object{M2)) 

Ax  :  [0]type(>l).  [0]objectiM) 


We  could  have  replaced  the  first  equation  by 


[0]object(£)  =  [Q]program(-P) 


It  is  easy  to  see,  that  both  formulations  are  equivalent  with  respect  to  a  conversion  rule 


— - Epsilon 

M  =  M 


which  justifies  the  following  general  equation. 


[0]object(Z)  =  ([e]program(X))  =  M  =  M 


Note  that  the  conversioii  rule  is  non-standard.  Under  the  assumption,  that  the  programs  which 
define  0  are  normal  with  respect  to  this  reduction  rule,  the  result  of  the  application  is  guaranteed 
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to  be  normal,  too.  In  this  case,  we  do  not  need  the  conversion  rule.  Therefore  it  is  not  necessary 
to  incorporate  this  reduction  rule  into  MLF,  as  long  as  met  a  level  substitution  performs  this 
reduction  implicitly  on  objects.  We  will  discuss  this  in  more  detail  in  section  3.2. 

Next,  we  define  substitution  application  for  types.  The  definition  is  straightforward.  It 
subsumes  the  definition  of  substitution  application  on  the  atomic,  goal  and  data  types  because 
of  lemma  3.2, 


a 

(^l)  •  [®]^ype(^2) 
([0]iype(^)  [Q]object{A[)) 


Definition  3.8  (Substitution  on  types) 

[0]ty;7e(ct)  = 

[0]type(n^  *  ^1*  ^2)  ~ 


The  substitution  application  on  kinds  is  defined  similarly  straightforward: 


Definition  3.9  (Substitution  on  kinds) 

[0]A:mrf(type)  =  type 

[©]it2w(na:  :  A,  K)  =  Ux  :  [0]iype(^)-  [&]kind{K) 


Now  we  will  address  the  definition  of  meta  level  substitution  application  to  programs  and 
formulae.  Since  formulae  can  contain  free  meta  variables,  the  definition  of  the  substitution 
application  has  to  be  carried  out  with  some  care:  the  renaming  of  variables  has  to  be  done 
explicitly  in  all  cases  where  variables  are  bound  by  formulae  or  programs: 


Definition  3.10  (Substitution  on  formulas) 


[e]formula{yX  :  A.G) 

[Q]formula{^X  I  A.G) 
\®]formula{G I  A  G2) 
[&\formula{Gi  V  G2) 
[^^formula{G  I  >■  G2) 
[®]/ormu/a(l) 


vy  :  [e]type{A)\e,Y/X]jormula{G) 
3Y  :[&]tyye{A),[e,Y/X]forrnula{G) 
[®]/orm«/a(Gi)  A  [0]/ormu/a  (G2) 

[®]/ormw/a(^l)  V  [0]/ormif^a  (^^2) 
[®^formula{Gl)  [&]formula{G2) 

1 

[^]type{A) 


where  Y  is  a  new  variable. 
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Definition  3.11  (Substitution  on  programs) 


[‘]program{^') 
[Q,P/Y]programiX) 
\&]program  (unit) 

[0]propram  X.P'^ 

\&\program  (fun  X.P^ 
[®]program  (p3-ir  Pi  P2) 


X 

f  P  ifX  =  Y 

\  [0] program  (-^)  clsC 

(unit) 

{r^cY.{[@,Y/X\rogram{P))) 

{fmiY.{[e,Y/X]program{P))) 

(pair  [0]program(^l)  [0]  program  {P2)) 


[0]pro5fram  (i^l  -P) 

—  (ini  [&\ program  {P)) 

[0]pro5rram  (i^r  P) 

=  (inr  [&\ program  {P)) 

[©Iprogfram  (i^^  P 1  P2) 

=  ( 

inX  [0] propram  (Pi)  [0]p ropram  (P2)) 

(  case  P  of  ^ 

^  case  [0] propram (P)  0^ 

[&\  program 

Q(l)  ^  p(l) 

\f^l]program{Q^^^)  ^  [©  0  ^l]propram(P^^^) 

\  1  pW  j 

\  1  [^n]propram(Q^^^)  ^  [©  ®  ’®n]propram(P^^^)  / 

]proigrram  (1®^  ^1  ^  -^2) 

1  program  (app  Pi  P2) 


(let  [0]program(-Pl)  b®  Y  XXl  [Q,Y/X]  program  {P2)) 
(app  \Q\rogram{Pl)  [©]  program  (n)) 


[0] 


program 


M 


—  [^^object{^) 


where  Y  is  a  new  variable.  In  the  case  case,  let  {Xf  =  Free{P^^^)  the  set  of  free  variables 


occuring  in  the  pattern  \  ^  variable  renaming  substitution^  where 

Y^-YL  are  new  variable  names. 


We  call  a  substitution  pure  if  all  programs,  which  define  the  substitution  are  pure.  Purity 
of  the  participating  programs  is  not  enough  as  we  will  see  in  section  4.1.  A  stronger  notion  is 
required:  We  call  a  substitution  strictly  pure,  if  its  application  cannot  create  something  impure. 
The  definition  is  as  follows: 


Definition  3.12  (Strictly  pure  substitutions)  A  substitution  0  is  called  strictly  pure  iff  for  all 
X  G  dom{Q):  Q{X)  =  Y  or  0(A)  M  with  M  pure. 


3,1.2  LF  level  substitutions 

LF  level  substitutions  replace  LF  variables  by  LF  objects.  We  assume,  that  programs  and 
goals  are  closed  with  respect  to  object  variables.  Therefore  we  only  have  to  define  object  level 
substitution  for  objects,  types  and  kinds. 

Definition  3.13  (Object  substitution  on  kinds) 

{0}kmd{type)  =  type 

{ejkindiUx  :  A.  K)  =  Ilx':{9}t,,e{A).{0o{x'/x)}kind{K) 


where  x'  is  a  new  variable  name. 
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Definition  3.14  (Object  substitution  on  types) 

{0]type(Jlx  :  Ai.  A2)  =  Ha;'  :  {9}type{Ai).  {9  o  {x' /x)}type{A2) 

{9]type{AM)  =  {{e}typ,{A){9}object{M)) 

where  x'  is  a  new  variable  name. 

Definition  3.15  (Object  substitution  on  objects) 

object{x) 

{9,  M/y} object{x) 
object{(^ 

{9]obiect{P) 

{9} objecti^^X  '.  A. 

{ff}object{Mi  M2) 

where  x'  is  a  new  variable  name. 

We  observe,  that  the  only  non-standard  case  is  the  application  of  a  substitution  ^  to  a 
projected  program.  Because  of  the  assumption  that  P  is  closed  with  respect  to  object  variables, 
the  result  of  the  substitution  application  is  P. 

In  the  remainder  of  the  thesis  we  omit  the  subscripts,  indicating  which  substitution  appli¬ 
cation  to  take:  Instead  of  writing  [0]program(-P))  we  write  simply  as  [0](P),  instead  of  writing 
{^}type(A)  we  write  {^}(A). 

3.1.3  Unification 

We  define  now  the  notion  of  unification.  Unification  will  play  a  role  in  the  definition  of  one  of 
the  typing  rules  for  programs.  Unification  is  based  on  meta  level  substitutions  only. 

We  speak  in  this  paragraph  of  terms.  A  term  is  either  a  program,  a  formula,  an  object,  a  . 
type  or  a  kind.  A  substitution  0  is  called  a  unification  of  two  terms,  if  it  makes  both  terms 
syntactical  equal. 

Unifications  can  be  ordered.  We  define  the  “more  general  relation”  for  substitutions:  A 
substitution  is  called  more  general  then  another  it  the  latter  can  be  derived  from  the  former,  by 
further  instantiation  of  free  variables.  More  formally: 

Definition  3.16  (More  general  relation:)  We  say  that  ©  <  '9  iff  there  is  a  substitution 
s.t.  $  o  0  =  0  <  ^  reads  as  0  is  more  general  than 

A  general  observation  is,  that  solutions  of  a  first  order  unification  problem  are  ordered  with 
respect  to  the  more  general  relation.  The  existence  of  a  least  element  in  this  order  is  guaranteed 
[Sny91].  This  substitution  is  called  the  most  general  unifier.  The  most  common  first  order 
unification  algorithms,  like  the  Robinson  algorithm  or  the  unification  algorithm  of  Martelli- 
Montanari  [AM82]  are  guaranteed  to  find  the  most  general  unifier.  In  the  higher  order  case,  the 


=  X 


M 

objecti^) 


if  X  : 

else 


P 


\x'  :  {9]type{A).  {9  o  {x' / x)] object{M) 
{{9} object{M\)  {9} object{M2)) 
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notion  of  most  general  unifier  becomes  suddenly  insufficient.  A  higher  order  unification  problem 
can  have  arbitrary  many  general  unifiers,  which  are  not  instantiations  of  each  other. 

Even  though  MLF  as  we  introduced  it  in  this  section  resembles  a  first  order  language,  its 
connection  to  LF  destroys  the  first  order  property.  The  unification  problem  turns  out  to  be 
more  complicated  then  simple  first  order  unification. 

We  are  not  going  into  details  of  unification  problems,  the  reader  is  referred  to  [Sny91].  All  we 
need  for  our  purposes  is  the  notion  of  a  unifier  on  the  LF  type  level  and  the  notion  of  matching 
on  the  program  level.  In  this  thesis  we  adopt  Wayne  Snyders  view,  of  a  unification  problem 
being  given  as  a  set  of  equations  to  be  solved. 

Definition  3.17  (Unifier)  Let  Ai,A2  two  LF  types.  0  is  called  a  unifier  of  Ai  and  A2  iff 
0(Ai)  =  0(A2).  We  write  0  =  unify(Ai  «  A2). 

Definition  3.18  (Matching)  Let  P  be  a  program,  Q  be  program  pattern.  0  is  called  a  match¬ 
ing  of  P  and  Q  iffQ{P)  =  0(Q).  We  write  0  =  match(P  «  Q). 

If  there  is  a  matching  between  a  program  P  and  a  pattern  Q  one  says  that  Q  matches  with  F. 

3,1.4  Context 

For  the  definition  of  sequents  which  will  be  introduced  in  the  next  section  we  must  provide  the 
notion  of  context.  As  in  the  case  of  substitution  we  have  to  distinguish  between  two  different 
kind  of  contexts.  There  is  a  context  defined  on  the  meta  level  which  is  denoted  with  F.  And 
there  is  the  notion  of  context  on  the  LF  level  which  is  denoted  with  A. 

A  meta  context  declares  meta  variables  as  assumed  proof  objects  for  corresponding  data 
formulae.  The  formulae  can  be  seen  as  meta  types  of  program  variables.  Note  that  we  choose 
“G”  as  a  separator  between  a  meta  variable  and  its  data  formulae  in  order  to  prevent  confusion 
with  contexts  as  used  on  the  LF  level. 

Definition  3.19  (Meta  context) 

Meta  context:  F  :  •  |  F,  A  G  D 

Contexts  which  are  constructed  from  only  pure  data  formulae  D’s  are  called  pure  contexts. 
The  LF  level  context  is  defined  similarly  to  the  meta  level  context:  Meta  variables  are  replaced 
by  LF  variables,  data  formulae  are  replaced  by  data  types,  and  the  separator  symbol  is  . 

Definition  3,20  (LF  context) 

LF  context:  A  :  ^  \  A,  x  :  Ad 

We  define  the  notion  of  support  and  the  notion  of  free  variables  of  meta  and  LF  contexts: 
The  domain  of  a  context  is  a  set  of  variable  names  which  are  introduced  by  the  context,  and 
the  free  variables  of  a  context,  are  the  variables  which  occur  free  in  formulae  and  types. 
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Definition  3.21  (Support  of  a  context)  Let  F  be  a  meta  context,  A  be  an  LF  context 

dom{-)  =  0 

dom{F,  XeD)  =  {X}U  dom{F) 
dom{A,x  :  Ad)  =  {x}  U  dom[A) 

The  set  of  free  variables  is  similarly  defined: 

Definition  3.22  (Free  variables  in  a  context)  LetF  be  a  meta  context,  A  be  an  LF  context. 

Free{')  =  0 

Free{F,X  e  D)  =  Free{F)  U  Free{D) 

Free{A,x  :  Ad)  =  Free{A)  U  Free{AD) 

We  will  not  define  the  set  of  free  variables  for  formulae,  programs,  types  and  objects.  The 
definition  is  standard. 

The  concatenation  of  two  contexts  is  written  as  ri,r2  on  the  meta  level  and  as  Ai,  A2  on 
the  LF  level.  The  overloading  of  the  constructor  has  an  advantage  and  a  disadvantage. 
The  disadvantage  is,  that  it  cannot  be  uniquely  determined  what  constructs.  On  the  other 
hand  by  using  ‘V’  as  context  union  we  save  new  notation  which  makes  it  easier  to  digest  the 
formalism  introduced  in  the  next  sections  and  chapters.  Meta  context  concatenation  is  defined 
by  the  judgement  Fi,  r2  =  Fs. 

,  ri,F2  =  F3 

- concmetaemp  - concmetanonemp 

ri,-  =  ri  Fi,F2,xgg  =  F3,xgg 

LF  context  concatenation  is  defined  by  the  judgement  Ai,  A2  =  A3. 

Ai,A2  =  A3 

- concobjemp  - concobjnonemp 

Ai,  •  =  Ai  Ai,  A2,  x  ^  A  =  A3,  x  £  A 

Contexts  can  be  also  subject  of  substitution  application.  We  have  to  introduce  a  new  judgement: 
We  write 

[0]context(r) 

for  the  application  of  substitution  to  a  meta  context.  The  inference  rules  are  as  follows: 

Definition  3.23  (Substitution  on  context) 

- substctxemp 

[0]  contea;^ (*)  “ 

[&]conte.t{r)  =  F'  MformulaiG)  =  G' 

- - substctxin  X  4  dom(Q) 

[eUnte.t{r,xeG)  =  F\xeG^ 

[0]contea:f(r)  =  F 

- substctxnotin  X  G  dom(Q) 

[e]context{r,XeG)=:F^ 
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This  definition  may  seem  a  little  peculiar:  Substitution  application  on  contexts  is  not  per¬ 
formed  in  a  declaration  by  declaration  manner,  but  meta  variable  declarations  can  be  removed. 
0  must  be  seen  as  a  refinement  substitution,  that  is  variables  in  Free(0)  are  refined  by  its 
application.  When  all  free  occurrences  of  a  variable  X  are  removed,  then  the  declaration  of  X 
in  the  context  is  unnecessary.  Finally,  we  define  the  application  of  meta  level  substitutions  to 
LF  contexts: 

Definition  3.24  (Substitution  on  object  context) 

- substobjctxemp 

[0]oiycta:(’)  —  ■ 

[0]o6jcte(A)  =  A  [0]/ormu/a(-4)  =  A' 

- su  bstobjctxn  onem  p 

[0]o6icte(A,  X  :  A)  =  A',  X  :  A' 

It  is  easy  to  see  that  substitution  has  the  following  property:  Extracting  typing  information 
from  a  context  and  substitution  application  are  associative.  Here  is  the  lemma  without  proof: 

Lemma  3.25 


[0] 

context  (r)(x)  =  [0]/..„„/<.(r(x)) 

[0]o6jcia:(^)(^)  =  (^(^)) 


(3.1) 

(3.2) 


In  the  next  section  we  will  define  typing  rules,  which  distinguish  between  well-formed  and 
ill-formed  contexts. 


3.2  Reduction  relation  and  Evaluation 

In  this  section  we  state  the  reduction  relation  of  LF  objects,  LF  types,  and  LF  kinds.  We  also 
propose  a  reduction  relation  for  programs.  As  remarked  earlier,  programs  can  be  seen  as  an 
extension  of  the  simply-typed  A-terms.  Hence,  /?  and  r)  reduction  are  reduction  rules.  For  the 
other  operational  programs,  we  define  more  reduction  rules.  From  the  theory  of  the  A-calculus  it 
is  well-known,  that  A-terms  might  not  reduce  to  normal  forms.  Evaluation  orderings  are  defined 
which  motivates  the  notion  of  canonical  forms.  At  the  end  of  this  section  we  define  an  inference 
rule  system  for  an  evaluation  judgment  based  on  the  eager  evaluation  ordering. 

3.2.1  Reduction  Relation  for  LF  Objects,  LF  Types,  and  LF  Kinds 

In  the  original  definition  of  the  logical  framework  LF,  a  congruence  relation  between  objects, 
types  and  kinds  is  defined.  We  denote  the  congruence  relation  between  kinds  with  Ki  =  K2) 
between  types  with  APi  =  AP2,  AGi  ~  AG 2^  ADi  =  AD2  and  between  objects  between  as 
Ml  =  M2.  In  the  next  subsection  we  present  a  reduction  relation  for  programs.  Since  projected 
programs  are  objects,  there  is  a  mutual  dependency  between  programs  and  LF  objects,  which 
must  be  expressed  in  the  definition  of  the  reduction  relation.  This  dependency  destroys  the  clean 
distinction  between  LF  and  meta  level.  This  is  why  we  decided  to  restrict  the  reduction  relation 
on  programs  to  syntactical  identity.  This  way,  we  manage  to  preserve  the  clean  distinction. 
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The  notion  of  reduction  is  necessary  because  in  the  simply  typed  A-calculus,  A-terms  are  to 
be  considered  equal  if  they  are  either  /3-reducible  or  7;-reducible  to  each  other.  This  observation 
applies  to  the  level  of  LF  objects.  We  have  the  following  two  rules: 

- - objbeta 

(Xx  :  Aq.  M)  M'  =  {•,  N/x}{M') 


- objeta 

{Xx  :  Aq.  (M  a:))  =  M 


We  observe  that  even  so  =  is  defined  only  on  LF  object  level,  it  will  have  effects  on  types 
and  on  kinds.  Types  and  kinds  are  depending  on  objects,  so  it  is  necessary  to  define  a  notion  of 
equivalence  on  types  and  kinds.  We  can  define  a  set  of  rules  which  ensures  reflexivity,  symmetry, 
and  transitivity  of  =.  We  are  not  giving  the  rules  here,  the  reader  is  referred  to  [HHP93].  At 
last  we  have  to  make  sure  that  =  is  a  congruence  relation.  We  do  not  give  the  rules  for  kinds  and 
types,  they  remain  as  described  in  [HHP93].  The  set  of  rules  for  objects  must  be  extended,  due 
to  the  presence  of  projected  programs  or  meta  variables.  The  following  rules  remain  unchanged: 


Ag  =  Ag' 

Xx  :  Ag-  M  =  Xx  :  Aq  •  M 


objIamA 


M  =  M' 


Xx  :  Ag.  M  =  Xx  :  Ag-  M' 


objIamB 


Ml  =  M[ 

- objappA 

Ml  M2  =  M[  M2 


M2  =  M^ 

- objappB 

Ml  M2  =  Ml  M^ 


The  new  rule  is  the  rule  which  reduces  projected  programs.  If  an  object  is  constructed  by 
the  projection  of  a  program  onto  the  LF  level,  only  syntactical  identical  programs  are  considered 
to  be  equivalent.  In  the  case  of  pure  objects,  this  is  no  restriction:  pure  objects  only  depend  on 
projected  meta  variables: 


X  =  X 


objprg 


The  reduction  rule  in  the  impure  case  has  therefore  the  form: 


(3.3) 


P  =  P 


objprg 
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3.2.2  Reduction  Relation  for  programs 

We  know  from  the  A-calculus  that  syntactically  different  A-terms  are  considered  to  be  seman¬ 
tically  equal.  This  notion  is  made  more  precise  by  a  so  called  reduction  relation.  A-terms  can 
be  rewritten  using  reduction  rules.  /3-reduction  and  ?/-reduction  are  the  only  two  rules  defined 
for  the  A-calculus.  Programs  are  very  similar  to  A-terms.  The  program  (fun  X.P)  corresponds 
to  A-abstraction.  In  this  section  we  will  restate  /3  and  rj  reduction  for  programs,  and  extend 
the  set  of  reduction  rules  for  other  programs.  Note,  that  we  omit  all  typing  information  from 
the  programs.  We  can  do  that,  because  we  can  assume  the  programs  always  to  be  well-typed. 
The  typing  rules  for  programs  are  defined  in  the  next  section.  The  second  assumption  is,  that 
programs  do  not  contain  any  occurrences  of  free  meta  variables. 

Under  this  general  assumption  we  define  now  the  inference  rules  for  the  reduction  relation 
for  programs:  P  =  P.  We  define  reduction  rules  for  application,  function,  case  distinction, 
assignment,  embedding  and  recursion. 

/3-reduction 

The  first  rule  is  /3-reduction.  If  a  function  is  applied  to  a  program  Q,  it  can  be  reduced  to  body 
of  the  function  by  replacing  the  bound  variable  by  Q. 

- Beta 

{fwiX.P)Q  =  [Q/X]{P) 

)7-reduction 

The  second  rule  corresponds  to  7/-reduction.  The  program  —  which  represents  a  function  ab¬ 
straction  where  the  body  is  the  application  of  a  function  F  to  the  newly  bound  variable  —  can 
be  reduced  to  F. 

- Eta 

(fun  Y.{F  Y))  =  F 


7-reduction 

The  third  rule  is  a  rule  which  reduces  case  expressions.  We  call  this  reduction  7-reduction. 
Assume  a  case  program  is  given,  which  first  parameter  is  of  the  form  Ci  Operationally 

speaking  the  program  defined  on  the  i-th  branch  of  the  case  command  has  to  be  executed  after 
an  appropriate  variable  substitution.  Note,  that  the  number  of  parameters  must  be  identical  to 
the  number  of  variable  slots,  provided  by  the  pattern.  The  reduction  rule  is  defined  as  follows: 
The  matching  substitution  between  pattern  and  Ci  Qi..Qmi  has  the  form:  QilXi..Qmi/Xmi- 
This  substitution  binds  the  variables  in  the  program  to  the  new  values. 


(  case  Cj  Qi..Qmi  \ 

Cl  ^  F(1) 


Gamma 


[Ql/Xi..QmJX^,]{P^^) 


\  I  c„^..^^pW  j 


3.2.  REDUCTION  RELATION  AND  EVALUATION 


57 


A-reduction 

The  fourth  reduction  rule  is  the  assignment  reduction.  We  call  it  A-reduction.  The  let  construct 
takes  a  parameter  program  Pi,  binds  it  to  a  variable  X  and  replaces  all  free  occurrences  of  X 
in  P2  with  Pi.  The  rule  has  the  following  form. 

- - : - - Lambda 

(let  Pi  be  X  in  Pj)  =  [Pi/X](P2) 


e-reduction 

The  fifth  reduction  rule  is  called  e-reduction.  It  is  only  important  in  the  case  of  impure  programs. 
It  states,  that  every  immediate  pair  of  projection  and  embedding  can  be  removed: 

^ - Epsilon 

P=  P 


p-reduction 

The  sixth  and  last  reduction  rule  treats  recursion:  it  is  called  the  p-rreduction.  All  free  occur¬ 
rences  of  the  variable  X  are  replaced  by  the  recursive  program  itself. 

_ Roh 

(rec  X.  P)  =  [rec  X.  P/X]{P) 

It  would  be  beyond  the  scope  of  this  thesis  to  go  into  a  detailed  examination  about  the 
character  and  theoretical  properties  of  this  set  of  reduction  rules.  For  an  arbitrary  program, 
these  reduction  rules  have  a  very  non-deterministic  flavor.  We  conjecture,  that  the  reduction  of 
a  well-typed  program  stops  after  finite  many  applications. 

3.2.3  Design  of  an  MLF  Evaluation  Function 

In  the  last  subsection  we  defined  a  set  of  reduction  rules,  which  can  reduce  subterms  of  a  term 
at  any  time.  In  this  subsection  we  define  an  evaluation  judgment  for  MLF.  The  application  of 
reduction  rules  is  triggered  by  the  form  of  the  program.  We  have  seen  that  some  of  the  reduction 
rules  make  use  of  substitutions.  The  substitutions  are  constructed  from  the  form  of  the  program 
—  as  for  example  for  application.  There  are  two  common  strategies  how  to  apply  reduction 
rules.  The  first  evaluation  strategy  is  called  eager  evaluation.  The  programs  which  are  used 
for  the  definition  of  substitutions  are  evaluated  before  the  substitution  is  formed.  The  second 
evaluation  strategy  is  called  lazy  evaluation.  Programs  are  not  evaluated,  but  taken  directly  to 
form  the  substitution.  In  this  thesis  we  follow  only  the  ideas  of  the  first  strategy:  The  judgment 
we  define  for  the  eager  evaluation  strategy  of  MLF  program  has  the  form: 

P  ^MLF  P 

In  the  remainder  of  this  section,  we  define  the  inference  rules  for  this  judgement:  Reduction  rules 
are  applied  in  an  outermost  left  to  right  fashion.  We  give  the  rules  by  distinguishing  between 
the  forms  of  the  program  P  in  the  judgment  P  Q‘- 

The  first  rule  says  that  the  program,  which  is  the  proof  term  for  1  evaluates  to  itself. 
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- evunit 

unit  '^mlf  unit 

Another  program  which  evaluates  to  itself  is  the  A-term  —  or  in  our  notation  the  term 

(fun  x.py. 

- evfun 

fun  X.P  fun  X.P 

These  are  the  only  base  rules  for  the  evaluation  judgement.  We  will  now  address  the  other 
programs:  The  recursion  program  corresponds  to  the  fixed  point  construct  of  a  functional  pro¬ 
gramming  language.  The  definition  of  the  evaluation  rule  is  defined  similarly  to  the  p-reduction: 

[rec  X.PIX]{P)  ^mlf  V 

- evrec 

rec  X,P  ^mlf  V 

The  rules  for  the  evaluation  of  pair,  ini,  inr  and  inx  are  all  very  similar,  the  definition  is 
straightforward. 

Pi  ^MLF  Vi  P2  ^MLF  V2 

- evpair 

(pair  Pi  P2)  ^MLF  (pair  Vi  V2) 


P  ^MLF  V  . 

- - evinl 

(ini  P)  ^mlf  (ini  V) 


P  ^MLF  V 

(inr  P)  ^mlf  (inr  V) 


evinr 


"^MLF  Vi  P2  ^MLF  V2 

- evinx 

(inx  Pi  P2)  ^MLF  (inx  Vi  V2) 


The  next  evaluation  judgment  defines  the  evaluation  of  a  case  program.  The  idea  is  to 
evaluate  the  first  parameter.  The  result  is  supposed  to  be  of  the  form:  Ci  If  case 

construct  includes  the  definition  of  a  pattern  which  matches  this  program,  the  evaluation  is 
possible:  In  this  case,  the  i-ih.  program  is  selected,  the  variables  are  instantiated  with  the 
programs  ^nd  then  evaluated.  The  result  value  is  the  value  of  the  evaluation  of  the 

case  construct. 


P  ^MLF  Ci  Ql^^Qmj  [Ql/^l--Qmi/^mJ(FW)  "^MLF  V 


evcase 


/  case  P  of 


Cl  XpLxff  ^  pW 


U  Cn  Xj’^K.Xtl  =»  / 


^MLF  V 
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To  evaluate  a  let  construct,  we  first  evaluate  the  program  Pi  to  obtain  a  value  V'.  We  then 
replace  X  in  P2  by  V .  The  evaluation  of  \y' /X'\[P2)  yields  the  value  V.  This  rule  is  clearly 
eager  because  the  program  Pi  is  evaluated  before  it  is  substituted  into  P2. 

Pi-^mlfV  [V'/X]{P2)^mlfV  , 

- evleteager 

(let  Pi  be  X  in  P2)  "-^mif  V 

We  also  can  imagine  a  lazy  version  of  this  rule: 

[Pl/X](P2)  ^ 

- evletlazy 

(let  Pi  be  X  in  P2)  ^mlf  V 

The  application  rule  is  similar  to  the  let  rule.  Both  rules  are  closely  related.  It  is  even 
possible  to  replace  the  let  program  by  an  application  and  a  fun-abstraction.  We  can  define  let 
as  syntactic  sugar  from  fun: 


(let  Pi  be  X  in  P2)  =  ((fmi  X.P2)  Pi) 


Since  we  want  to  keep  proof  terms  readable,  we  decided  to  use  the  let  construct  instead  tif  the 
application.  The  rule  for  eager  application  is  defined  as 

Pi (fun  X.P')  P2-^mlfV'  [V'IX]{P')^mlfV 
- ^ - evappeager 

(app  Pi  P2)  ^MLF  V 


Again  it  is  possible  to  write  down  the  lazy  form:  P2  is  not  evaluated,  but  directly  substituted 
into  P': 


Pi  ^MLF  (fun  X.P')  [P2/X]  (PQ  ^mlf  V 

(app  Pi  P2)  ^mlf  V 


evapplazy 


To  complete  the  inference  rule  set  for  the  evaluation  judgment  we  define  the  evaluation  of 
embedded  LF  objects.  If  we  can  assume  all  programs  to  be  pure,  it  has  the  following  form: 

— - zz  evobj 

M  ^mlf  M 


M  cannot  contain  any  free  variables,  all  evaluation  rules  preserve  the  property,  that  the 
programs  do  not  contain  any  free  variables.  The  only  variables  which  can  occur  free  in  M  are 
free  meta  variables.  It  follows  immediately,  that  M  does  not  contain  any  programs  at  all. 

For  the  impure  case,  things  are  getting  much  more  difficult:  The  object  structure  of  M  has 
to  be  examined  because  an  unevaluated  program  could  be  a  subformula  of  M.  The  rule  has 
then  the  following  form: 

Ml  =  M2 

- - - evobj 

Ml  ^mlf  M2 


But  then  the  rule  (3.3)  has  to  be  exchanged  by  the  new  rule: 


Pl=P2 


Pl=P2 


objprg' 


This  is  not  really  satisfactory.  The  aim  of  MLF  is  to  reason  about  pure  objects  only. 
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Definition  3.26  (Canonical  form)  Let  P  be  a  well-formed  program  which  does  not  contain 
any  free  meta  variables.  If  P  ‘^mlf  P'  ,  P'  is  called  the  canonical  form  of  P. 

3.3  MLF  inference  system 

In  this  section  we  introduce  the  typing  judgments  and  typing  rules  for  MLF.  In  the  last  section 
we  defined  several  languages  for  formulae,  programs,  kinds,  types  and  objects.  In  this  section 
we  combine  these  notions,  and  describe  the  different  typing  relations.  Therefore  we  define  a 
collection  of  new  judgments.  The  semantics  of  these  judgments  is  defined  in  the  following 
subsections.  Since  the  typing  rules  for  each  judgments  will  depend  on  other  judgments,  we 
first  define  the  judgments  and  describe  their  meaning  informally  before  we  go  into  details.  The 
judgments  have  the  following  forms: 

1.  [-£  r  ctx 

2.  r  l~s  G  goal  r  hs  D  data 

3.  Tb^PeG 

4.  r  hs  A  objctx 

5.  T;  A  hs  ii:  kind 

6.  r;Af-sAp:K  V-,A\-^Ag:K  T-^AP^AdiK 

7.  T]A\-^M:Ap  T]A\-^M:Aa  T-,  A  M -.  Ad 

The  first  judgement  allows  us  to  distinguish  between  well-formed  and  ill-formed  contexts. 
The  inference  of  this  judgment  will  reflect  that  in  a  context  T,X  £  D,  D  may  only  depend  on 
free  variables  in  F.  If  this  holds  for  every  declaration  in  a  context,  then  we  call  the  context 
well-formed  otherwise  ill-formed. 

The  second  set  of  judgements  F  l-£  G  goal  and  F  hs  D  data  express  the  property  if  a  formula 
(j  is  a  well-formed  goal  formula  and  the  formula  D  is  a  well-formed  data  formula.  Since  formulae 
can  depend  on  free  variables,  the  judgments  must  contain  the  context  F. 

The  third  judgement  is  the  center  piece  of  the  MLF  rule  system.  It  defines  the  typing  relation 
between  programs  and  formulae.  This  judgement  can  be  seen  from  two  different  angles:  from  a 
logical  angle  and  from  a  computer  science  angle. 

From  a  logical  point  of  view,  the  context  represents  the  set  of  assumptions,  from  which  the 
formulcie  G  has  to  be  proven.  The  proof  term  P  represents  the  derivation. 

From  a  computer  science  point  of  view,  the  judgment  F  Fe  P  G  G  represents  a  state  in  a 
computation.  The  context  F  accounts  for  all  objects  available  at  this  certain  stage.  All  objects 
are  disguised  in  form  of  programs.  P  stands  for  the  program  still  to  be  executed.  G  is  the  “type” 
of  the  result.  Let  A  G  A  be  a  declaration  in  the  context,  A  is  an  LF  type.  One  can  expect  that 
X  is  bound  to  a  value  M  at  this  stage  of  the  computation.  In  the  last  section  of  this  chapter  we 
will  introduce  an  evaluation  judgment  which  actually  calculates  the  result  program  from  given 
programs. 

The  fourth  judgment  F  hs  A  objctx  defines  if  an  LF  context  A  is  well-formed  with  respect 
to  a  meta  context  F.  The  meta  context  has  to  be  part  of  the  judgment,  since  the  declarations 
in  A  may  depend  on  meta  variables. 
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The  next  three  sets  of  judgments  redefine  the  judgments  of  LF  type  theory.  Since  MLF  is 
built  on  top  of  the  Horn  fragment  of  there  are  three  different  types  Ap,  Aq  and  Ad-  For  each 
type  there  must  be  a  typing  judgment  which  defines  the  kind  of  the  type.  There  must  be  also  a 
typing  judgment  to  define  how  the  objects  of  this  type  may  look  like. 

This  section  is  organized  as  follows:  We  first  define  the  rules  for  well-formed  contexts.  We 
then  show  the  revised  versions  of  the  judgments  for  LF  type  theory,  that  is  what  are  well- 
formed  objects,  what  are  well-formed  types  and  what  are  well-formed  kinds.  Finally  we  define 
the  inference  rules  for  MLF:  What  are  well-formed  data  formulae,  what  are  well-formed  goal 
formulae,  and  what  are  well-formed  programs. 

3.3.1  Typing  rules  for  meta  context 

In  this  subsection  we  define  the  inference  rules  for  the  judgment  hs  F  ctx:  Is  F  a  well-formed 
meta  context?  A  meta  context  is  well-formed  if  it  is  either  empty  or  all  declarations  can  be 
shown  to  be  well-formed.  A  declaration  is  well-formed,  if  £)  is  a  well-formed  data  formula: 

hs  F  ctx  F  hs  Z?  data 

- ctxemp  - ctxcons 

!-£  •  ctx  1-2  F,  X  G  jD  ctx 

3.3.2  Typing  rules  for  object  contexts 

In  this  subsection  we  give  the  rules  to  derive  the  judgment  F  hs  A  objctx  for  well-typed  object 
contexts.  This  judgement  is  essentially  the  same  judgment  as  it  is  described  in  the  original 
paper  [HHP93].  We  have  to  refine  it  because  objects  can  depend  meta  variables.  The  idea  is  to 
formulate  the  judgement  in  a  way,  that  A  is  a  well-formed  context  with  respect  to  meta  variables 
in  F.  As  in  the  meta  context  definition  we  have  to  check,  whether  every  entry  x  :  Ad  in  A  is 
defined  with  respect  to  a  given  F. 

- objctxemp 

F  hs  •  objctx 

F  hs  A  objctx  F;  A  1-2  Ad  :  type 

- - objctxcons 

F  f-2  A,  a; :  Ad  objctx 

3.3.3  Typing  rules  for  kinds 

In  this  subsection  we  give  the  rules  to  derive  the  judgment  F;  A  I-2  K  kind  for  kinds.  We  take 
the  judgment  from  LF  type  theory  and  extend  it  by  the  context  F.  The  rules  are  as  follows: 

- kindtype 

F;  A  1-2  type  kind 

F;  A  h-2  Ag  ;  type  F;  A,  x  :  Ag  Fs  A  kind 

- kindpi 

F;  A  l-2  Hx  :  Ag.  K  kind 


Note,  that  every  Ag  is  also  an  Ad. 
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3.3.4  Typing  rules  for  types 

In  this  subsection  we  give  the  rules  to  derive  the  judgment  for  types.  As  we  have  seen  earlier,  we 
distinguish  between  atomic  types,  goal  types  and  data  types.  We  introduced  three  judgments: 

F;  A  hs  Ap  :  K 
r-,A\-^AG:K 
Ad  :K 

As  we  know  from  LF  type  theory,  types  are  typed  by  kinds.  We  already  know  how  to  judge 
about  kinds.  Note  that  there  is  no  direct  connection  between  MLF  and  LF  in  these  rules.  Types 
do  not  depend  neither  on  programs  nor  on  formulae.  Indirectly,  they  may  depend  on  programs, 
since  objects  depend  on  programs  and  types  may  depend  on  objects.  We  will  be  concerned  with 
this  question  in  the  next  subsection.  We  take  the  judgment  from  LF  type  theory  and  extend  it 
by  the  context  F.  The  rules  for  all  three  judgments  have  the  form: 

S(a)  =  K 

- typeatomconst 

F;  A  hs  a  :  a: 


F;  A  hs  Ap  :  nx  :  Aq.  K  F;  A  hs  M  :  Aq 
F;Ahs  (Ap  M)  :  {M/x}ki„d(fF) 
r;AI-s  Ap  :I<:  K  =  K'  F;  A  hs  A' :  kind 
F;Ahs  Ap:A:' 


typeatomapp 


typeatomequiv 


F;  A  hs  Aq  :  type  F;  A,  x  :  Aq  Hs  Ad  :  type 
F;  A  hs  IIx  :  Aq-  Ad  :  type 


typedatapi 


3.3.5  Typing  rules  for  objects 

In  this  subsection  we  give  the  rules  to  derive  the  typing  judgments  for  objects: 

F;AhsM:Ap 
T]  A\-£  M  :  Aq 
F;AhsM:Ap 

In  LF  type  theory  there  is  judgment  A  hs  M  :  A.  Since  there  are  atomic,  goal  and  data  types, 
a  set  of  rules  has  to  be  defined  for  each  judgment.  The  judgments  are  extended  by  the  meta 
context  F. 

A(x)  =  Ad 

- objdatasigma 

F;  A  !-£  X  :  Ad 


S(c)  =  Ad 
F;  A  hs  c  :  Ad 


objdataconst 
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F;  A  Fe  Ml  :  Ha;  :  Aq.  Ad  F;  A  hs  M2  :  Aq 
F;AI-s  (Ml  M2) -.Ad 


objdataapp 


:  Ag\-'£,  M  •.  Ad 

- objdatapi 

F;  A  hg  \x  :  Aq.  M  :  Ilx  :  Aq.  Ad 


F;  A  1-E  M  :  Ad  Ad  =  Ad'  F;  A  hs  Ad'  :  type 
F;AhsM:  Ad' 


objdataequiv 


Earlier,  we  introduced  two  different  possibilities  of  how  to  form  objects  from  programs.  In 
the  general  case  —  an  object  is  formed  by  projecting  a  program  onto  the  object  level,  in  the 
restricted  case,  the  form  of  the  programs  is  restricted  to  variables.  We  called  objects  of  the 
latter  form  pure  objects. 

The  typing  rule  for  the  impure  case  has  the  following  form:  If  P  is  a  proof  term  of  a  formula 
G  and  G  is  of  the  form  A  then  P_  is  of  type  A: 


F  hs  P  €  Ag 
F;AI-eP:Ag 


objgoalprgi 


(3.4) 


If  we  read  the  rule  from  bottom  to  top,  we  read  it  as:  If  P_  should  be  shown  of  type  A  in 
context  A  —  the  meta  variables  are  all  defined  in  a  context  F,  then  P  has  to  be  shown  to  be  a 
program  of  formula  A,  solely  from  the  context  F.  We  assume  that  every  program  is  closed  with 
respect  to  LF  variables.  Note,  that  with  this  rule  it  is  possible  to  generate  cyclic  dependencies 
between  LF  level  and  meta  level.  These  dependencies  must  be  removed  since  the  goal  is  to 
obtain  a  clean  distinction  between  LF  and  meta  level.  A  simplification  arises  from  assuming 
that  the  objects  in  question  are  actually  pure.  That  is,  only  meta  variables  can  be  projected 
onto  the  LF  level  and  not  arbitrary  programs  any  more.  We  obtain  a  simplified  typing  rule: 


r(x)  Aq 

r]A\-E  X:Ag 


obJgoalprgP 


,(3.5) 


This  formulation  of  the  rule  removes  the  mutual  dependencies  between  LF  and  meta  level. 


3,3.6  Typing  rules  for  formulae 

The  judgments 

F  hs  G  goal 
F  hs  D  data 

define  the  well-formedness  of  goal  formulae  and  data  formula.  It  is  easy  to  see,  that  core  formulae 
are  well-formed  if  and  only  it  is  well-formed  as  a  goal  formula  if  and  only  if  it  is  well-formed  as  a 
data  formula.  Goal  formula  and  data  formulae  may  depend  on  free  meta  variables.  Hence,  the 
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judgments  depend  on  the  context  T.  The  rules  for  goal  formulae  are  defined  in 
manner: 


Ad  :  type  V,X  e  Ad  \-^G  goal 
r  hs  VX  :  Ad^G  goal 


goalforall 


T;  Ag  :  type  F,  X  G  Ag  l”s  G  goal 
r  l-E  3X  :  Ag.G  goal 


goalexists 


r  \-^  Gi  goal  r  hs  G2  goal 
r  hs  Gi  A  G2  goal 


goaland 


r  hs  Gi  goal  r  G2  goal 
r  Fj]  Gi  V  G2  goal 


goalor 


r  l-2  D  data  F  hx;  G  goal 
r  \-'£  D  ^  G  goal 


goalimp 


F  hx:  1  goal 


goaltrue 


F;  •  hxi  IF  kind  F;  •  hx:  Ag  :  K 


goaltype 


F  hx:  Ag  goal 

The  rules  for  data  formulae  are  similarly  defined  as: 

F;  •  l-£  Ag  :  type  F,  X  G  Ag  D  data 
F  1-E  VX  :  Ag.C  data 


■dataforall 


F;  •  hx:  A^)  :  type  F,X  G  Ad  hx;  D  data 
F  hx:  3X  :  Ad-D  data 


•  dataexists 


r  hx:  Di  data  F  hx;  D2  data 
r  hx:  Di  A  T>2  data 


dataand 


F  hx:  Di  data  F  hx:  D2  data 


dataor 


a  straightforward 


r*  ^^1  V  D2  data 
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r  hx:  G  goal  F  D  data 
F  1“2  G  — y  D  data 


dataimp 


F  l-£  1  data 


datatrue 


F;  •  hx;  jfF  kind  F;  •  \-^  Ad  :  K 
F  hs  Ad  data 


datatype 


3.3,7  Typing  rules  of  MLF 

The  central  notion  for  meta  level  reasoning  is  the  sequent.  A  sequent  represents  information 
about  a  context,  a  goal  formula  which  is  to  be  proven,  and  a  proof  term.  The  context  represents 
also  variable  dependencies.  A  sequent  is  of  the  form  T  P  e  G. 

The  typing  rules  of  programs  in  MLF  are  designed  in  sequent  calculus  style.  We  distinguish 
between  left  and  right  rules,  that  is  rules  which  operate  on  the  context  and  rules,  which  operate 
on  the  goal  formula.  The  calculus  represents  essentially  intuitionistic  first  order  logic.  Two 
non-standard  rules  are  added  to  the  system.  One  rule  is  the  recursion  rule:  it  provides  —  in 
the  case  of  an  induction  proof  the  appropriate  induction  hypothesis.  The  well-foundedness  of 
the  recursion  is  not  incorporated  in  the  system,  but  encoded  in  form  of  a  side  condition.  This 
approach  has  two  advantages.  First,  we  get  a  cleaner  inference  rule  system  and  second  a  more 
powerful  proof  system,  because  the  well-foundedness  proofs  have  to  be  done  outside  this  system. 
The  second  advantage  is,  that  different  methods  can  now  be  used  to  prove  well-foundedness  as 
a  property  of  the  proof  term. 

The  second  rule  added  to  the  system  is  a  case  distinction  rule.  This  rule  allows  to  differentiate 
over  different  forms  of  an  LF  object.  Note,  that  since  the  signature  is  finite,  only  finite  many 
cases  have  to  be  considered.  If  an  LF  object  M  of  LF  type  A  is  given,  all  possible  forms  of 
M  as  an  element  of  A  are  examined.  A  variable  refinement  substitution  is  derived  by  pattern 
matching.  This  substitution  accounts  for  the  dependencies  of  newly  introduced  variables  to  old 
ones. 

The  judgment  F  P  G  G  reads  as  follows.  F  represents  the  context  —  that  is  it  defines  all 
meta  variables  which  may  occur  free  in  P  and  in  G.  G  is  the  goal  formula  to  be  proven.  Once  a 
proof  is  found,  a  proof  term  P  is  available.  This  proof  term  can  be  read  as  a  functional  program 
with  patterns.  We  will  first  present  the  axiom  cases,  the  right  rules,  the  recursion  rule,  then  the 
left  rules,  the  case  distinction  rule,  and  finally  the  cut  rule. 

Axioms 

The  first  axiom  rule  is  purely  logical.  It  simply  says,  that  if  we  have  a  proof  of  goal  C  in  the 
context,  then  we  have  a  proof  of  goal  C. 

(“2  Fi,  A  G  G,  F2  ctx  ^ 

Fi,AgG,  F2hsAGG 
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The  second  axiom  rule  is  similarly  simple.  MLF  is  a  meta  logical  system  on  top  of  LF.  We 
assume  to  work  in  a  fixed  signature  E.  The  embedding  functions  we  defined  earlier  allow  LF 
objects  to  serve  as  proof  terms  —  proof  terms  for  embedded  LF  types  as  MLF  formulae.  The 
constant  rule  allows  MLF  to  access  constants  defined  in  the  signature: 

hs  r  ctx 

const  for  c  :  Aq  defined  in  S 

r  hs  c  €  Ag 

The  third  axiom  rule  can  be  seen  as  a  logical  rule,  too.  In  some  theorem  provers,  the  formula 
“true”  is  represented  as  a  formula  like  AV-iA.  This  representation  avoids  the  definition  of  a  new 
constant,  and  the  corresponding  inference  rules.  We  do  not  follow  this  idea.  “True”  is  defined 
as  a  formula  1  in  section  3.1.  Therefore  we  have  to  define  an  inference  rule  and  a  proof  term  for 
1.  In  every  arbitrary  context  F,  xmit  is  a  proof  for  the  formula  1. 

1-2  r  ctx 

- ^ ^ — R1 

r  hs  (unit)  e  1 

We  will  now  describe  the  set  of  right  rules  which  are  very  similar  to  the  right  of  the  sequent 
calculus  for  intuitionistic  first  order  logic. 

Right  Rules: 

Right  rules  operate  on  the  goal  formula  —  the  only  formula  on  the  right  hand  side  of  a  sequent. 
A  right  rule  can  be  applied  in  a  bottom  to  top  manner  to  resolve  the  structure  of  the  goal,  and 
generate  a  set  of  subgoals  to  be  proven.  Right  rules  are  always  applicable  if  the  goal  formulae 
is  of  composite  form,  that  is  it  is  not  atomic.  We  define  rules  for  five  intuitionistic  connectives: 
conjunction,  disjunction,  implication,  universal  quantification,  and  existential  quantification. 

The  rule  for  conjunction  on  the  right  is  straightforward.  A  goal  Gi  A  G2  can  be  proven  if 
Gi  and  G2  can  be  proven  independently.  The  resulting  proof  term  is  a  pair  of  both  proofs.  We 
introduce  pair  as  a  constructor  for  pairs  in  programs. 

r  hs  Fi  6  Gi  r  hs  P2  e  G2 

- ; - ^ - RA 

r  hs  (pair  Pi  P2)  €  Gi  A  G2 

The  rule  for  disjunction  is  defined  as  in  the  intuitionistic  case.  We  can  prove  the  disjunction 
of  Gi  and  G2  if  and  only  if  at  least  Gi  or  G2  are  provable.  The  proof  term  is  constructed  by 
inr  or  ini  and  the  proof  term  of  the  premiss  as  argument.  The  proof  term  has  to  store  the 
information  if  the  left  or  the  right  side  of  the  goal  has  been  proven.  That’s  why  we  have  to 
distinguish  two  constructors. 

ri-sPeGi  ^  ri-sP€G2 

- RVi  - RV2 

F  Fs  (ini  P)  G  Gi  V  G2  F  Fg  (inr  P)  G  Gi  V  G2 

The  definition  of  the  rule  for  implication  is  also  very  similar  to  the  intuitionistic  case.  As 
described  in  [GLT88]  a  very  nice  way  to  represent  proofs  in  the  intuitionistic  calculus  is  to  make 
use  of  the  Curry  Howard  isomorphism,  and  to  present  the  proofs  as  A-terms.  The  proof  term 
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of  an  implication  on  the  right  is  a  A-term.  This  term  essentially  reads  as:  From  a  proof  of 
a  proof  for  G  can  be  constructed.  We  restrict  the  left  side  of  implication  to  data  formulae  and 
the  right  side  to  goal  formulae  because  we  are  working  in  the  Horn  fragment  of  LF.  Since  we 
want  to  make  a  clear  distinction  between  A-terms  as  they  are  used  in  LF  type  theory  on  the 
object  level,  we  use  a  different  notion  to  represent  A-terms:  (fun  X.P)  corresponds  to  a  A-term 
on  program  level. 

The  rule  for  implication  on  the  right  reads  as  follows:  If  D  — >■  G  is  to  be  proven,  it  is  enough 
to  show  that  under  the  additional  assumption  we  have  a  proof  for  D,  we  can  find  a  proof  for  G: 

T,X  eD\-EP^G 
T\-E{fMnX.P)eD^G^^ 

To  prove  a  universal  quantified  goal  formula  VX  :  Ad-G  in  a  context  F,  G  has  to  be  proven 
from  an  extended  set  of  assumptions:  F  must  be  extended  by  the  assumption  that  we  have 
a  proof  term  of  the  embedded  data  type  Note,  that  we  have  to  avoid  to  name  the  new 
assumption  X,  since  X  could  already  be  defined  in  the  context  F.  Instead,  we  name  it  Y ,  a  new 
variable  name  —  and  then  replace  all  occurrences  of  X  in  G  by  Y. 

T.YeAE  He  [Y/X]P  g  [Y/X](G) 

F  Fe  (fun  X.P)  G  VX  :  A^.G 

The  existential  rule  on  the  right  is  an  extended  version  of  the  one  in  the  intuitionistic  calculus. 
In  the  intuitionistic  calculus,  if  a  formula  3x.G  is  to  be  proven,  it  is  enough  to  find  a  witness 
object  a  s.t.  [a/x]{G)  is  provable.  In  the  MLF  setting,  this  idea  remains  the  same:  In  addition, 
we  have  to  make  sure,  that  the  witness  term  is  a  term  of  the  right  type. 

The  rule  reads  as  follows:  If  3X  :  Aq^G  is  to  be  proven  from  a  context  F,  we  have  to  make 
sure  that  there  is  a  witness  term  P'  which  is  of  type  Aq  and  [PYX](G)  can  be  proven  from 
F.  The  proof  term  we  construct  must  now  take  both  proof  terms  into  account.  We  introduce 
a  new  program  constructor  (inx  P'  P)  which  represents  the  witness  proof  term  and  the  proof 
term  itself. 

fFeP'ga^  r\-^Pe[pyx]{G) 

- — 

FhE(inxP'P)  g3X:  Ag.G 

So  far  we  took  only  rules  of  the  intuitionistic  calculus  and  modified  and  extended  them 
slightly.  As  we  mentioned  earlier,  induction  will  play  a  major  role  in  the  proof  system  for  MLF. 
The  standard  technique  of  tackling  induction  is  to  generate  a  set  of  induction  principles  for  an 
inductively  defined  type  [Hue88,  PM93,  C'^'QS].  The  problem  with  induction  principles  is,  that 
they  are  very  rigid  in  their  form.  Proofs  may  not  be  easily  found.  We  suspect  that  the  inflexible 
character  of  induction  principles  my  paralyze  the  proof  process.  We  propose,  to  abandon  the 
idea  of  proving  well-foundedness  within  the  system  and  to  provide  a  rule  which  introduces  the 
induction  hypothesis  in  a  more  general  way.  This  idea  is  realized  in  the  recursion  rule: 
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Recursion:  The  idea  of  the  recursion  rule  is,  that  if  a  formula  G  is  to  be  proven,  we  can 
simply  assume  it  to  use  it  as  the  induction  hypothesis  ^  which  happen  to  have  the  same  form 
as  G.  But  now  G  must  be  transformed  into  a  data  formula.  This  is  only  possible,  if  we  restrict 
recursion  to  core  formulae  C.  The  proof  term  we  construct  is  a  recursion  operator.  It  captures 
the  name  of  the  induction  variable  —  in  our  rule  X,  and  the  proof  term.  The  recursive  character 
of  this  program  was  described  in  section  3.2.  The  preliminary  version  of  the  rule  is  defined  as 
follows: 

T,x  £C\-^Pec 

_ fgC 

r  hE  (rec  X,P)  e  c 

The  definition  rule  is  not  complete  yet.  It  has  to  be  refined  by  a  side  condition.  The 
following  example  shows  that  this  formulation  accepts  derivation  which  should  not  count  as 
valid  derivations: 

Example  3.27  Let  G  be  a  goal  which  shall  be  proven  from  a  context  P.  Omitting  the  side 
condition  at  the  rec-rule  we  can  easily  establish  the  following  derivation: 

- id 

r,x  eG\-^x  eG 

- rec 

r  Pe  rec  X.X  G  G 

We  cannot  accept  this  derivation  as  a  valid  derivation.  The  intuition  behind  this  derivation 
is:  Assume  G  and  prove  G  from  this  new  assumption.  X  is  the  induction  hypothesis.  The 
problem  lies  within  the  non-totality  of  the  proof  term.  A  proof  term  witnesses  the  provability  of 
a  formula  by  itself  or  it  describes  a  concept  of  how  to  construct  a  witness  program.  Obviously 
these  programs  have  to  be  totals  that  is  a  witness  program  has  to  be  the  result  of  an  evaluation 
of  the  program.  We  make  the  notion  of  evaluation  later  more  precise.  The  program  rec  X.X 
is  not  total:  The  application  of  ((rec  X.X)  M)  yields  after  one  reduction  step  ((rec  X.X)  M). 
The  program  will  never  terminate. 


To  exclude  non-total  programs  as  proof  terms,  we  introduce  a  side  condition:  P  I  X.  The 
new  judgement  of  the  form  P  I  X  holds  if  and  only  if  the  parameters  to  which  X  is  applied 
are  getting  smaller  according  to  a  well-founded  ordering.  We  will  not  go  into  the  details  how 
P  I  X  may  be  defined,  we  only  set  up  the  “interface”  to  the  proof.  The  judgment  P  ^  X  is  this 
interface.  The  recursion  rule  has  the  form: 


T,x  eCh^PeC 

- rec 

r  hs  (rec  X.P)  e  c 


with  P  I  X 


Left  Rules: 

After  introducing  all  right  rules  for  MLF,  we  concentrate  now  on  the  left  rules.  The  left  rules 
are  operating  on  the  context.  A  left  rule  is  applicable,  if  an  assumption  has  a  certain  form.  We 
will  structure  the  presentation  of  the  rules  in  two  parts.  In  the  first  part  we  will  give  the  rules 
which  are  taken  almost  directly  from  the  proof  system  for  intuitionistic  logic.  In  the  second 
part,  we  will  present  the  rules,  which  bridge  the  gap  between  MLF  and  LF. 
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The  definition  of  left  rules  will  make  use  of  the  case  construction  for  programs.  The  case 
distinction  program  is  defined  as 


^  case  F  of  ^ 

I  g(")  f(")  J 

The  stand  for  patterns.  The  operational  meaning  of  this  program  reads  as  follows:  Assume 

that  F  is  a  program.  F  should  be  matched  with  moreover  there  should  be  exactly  one  k 
s.t.  matches  with  F.  The  result  of  this  matching  process  is  a  meta  substitution:  0.  Under 
the  eager  evaluation  ordering  '^mlf  the  case  construct  reduces  to  [0](F(^)). 

Before  we  define  the  left  rules  for  MLF,  the  notion  of  patterns  must  be  closer  examined:  Let 
the  set  define  the  set  of  patterns  of  the  case  distinction.  This  set  of  patterns  should 

be  sound  on  complete  with  respect  to  the  different  forms  P  can  take.  Soundness  means,  that 
there  is  at  most  one  pattern  which  matches  with  the  canonical  form  of  P.  Completeness 
means,  that  there  is  at  least  one  pattern  which  matches  with  the  canonical  form  of  P.  We 
make  both  notions  more  formal:  A  complete  set  of  patterns  is  defined  as: 

Definition  3.28  (Complete  set  of  patterns)  LetS  he  a  set  of  patterns:  S  is  called  complete 
with  respect  to  a  goal  formula  G  iff 

r  hs  P  6  G  implies  that  a  Q  ^  S  matches  with  the  canonical  form  of  P 
and  a  sound  set  of  patterns  is  defined  as  follows: 

Definition  3.29  (Sound  set  of  patterns)  Let  S  be  a  set  of  patterns:  S  is  called  sound  with 
respect  to  a  goal  formula  G  iff 

Q  matches  with  P  and  Qf  matches  with  P  implies  that  Q  = 

As  in  the  right  case,  there  are  some  standard  connectives,  which  have  to  be  defined.  These 
connectives  are  conjunction,  disjunction,  implication,  universal  and  existential  quantification.  As 
before,  we  will  examine  rule  by  rule  and  comment  on  the  changes  and  extensions  in  comparison 
with  the  proof  system  for  intuitionistic  logic. 

Note,  that  we  did  not  define  any  structural  rules  for  this  calculus.  In  section  4.2  we  will  see 
that  that  weakening  and  contraction  are  admissible  rules  in  this  system.  It  cannot  be  expected 
that  a  general  exchange  rule  exists.  Exchanging  two  assumption  in  a  context  may  violate  the 
dependencies  of  LF  types  from  each  other. 

Since  we  do  not  allow  any  structural  rules,  we  have  to  duplicate  occurrences  of  the  formula 
in  question,  from  the  conclusion  to  the  premisses.  We  know  that  in  a  non-resource  oriented 
logic,  assumptions  cannot  disappear. 

The  first  rule  we  discuss  is  the  rule  for  conjunction.  The  rule  is  applicable  in  a  bottom  to 
top  manner  if  a  data  formula  Di  A  D2  can  be  found  in  the  context.  We  then  extend  the  context 
by  two  new  assumptions,  namely  the  assumption  Xi  as  a  proof  of  Di  and  X2  as  a  proof  of  P2- 
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If  we  then  can  prove  G,  a  proof  term  P  will  be  provided.  P  may  contain  the  two  new  variables 
Xi  and  X2.  To  construct  a  new  proof  term  for  the  rule,  we  have  to  bring  X,Xi,X2  and  P 
together:  The  proof  term  is  a  case  construct,  ranging  over  X.  We  already  know  that  X  is  the 
proof  of  a  conjunction  and  it  is  easy  to  show,  that  {(pair  Xi  X2)}  is  a  sound  and  complete  set 
of  patterns  for  D1AD2.  So,  the  final  proof  term  has  the  form:  (case  X  of  (pair  Xi  X2)  ^  P). 

Ti,x  eDiAD2,r2,XieDuX2eD2  bsPgG 

Ti,X  €Di  A  D2,  r2  hs  (case  X  of  (pair  Xi  X2)  ^P)eG^^ 

Using  the  same  idea,  we  define  now  the  rule  for  disjunction.  The  rule  reads  as  follows:  If 
we  have  the  assumption  Di\/  D2,  and  we  want  to  prove  a  goal  G,  then  we  can  use  Di  to  prove 
G  iff  we  can  prove  G  also  from  D2.  Recall  that  we  defined  two  constructors  for  proof  terms  of 
a  disjunction:  ini,  inr.  A  sound  and  complete  set  of  patterns  is  {(ini  Xi),  (inr  X2)}.  The 
resulting  proof  term  is  a  case  distinction  between  these  both  constructors.  The  rule  is  formulated 
as  follows: 


ri,xeDiVD2,r2,Xie£>ii-sPi  €C?  Ti,x  e  DiW  D2,T2,X2  e  D2h’2  P2  e  G 


The  next  rule  is  the  rule  for  implication  left.  Here  we  assume,  that  we  have  an  assumption 
of  the  form  Gi  ->•  D.  If  we  can  prove  that  Gi  is  true,  i.e.  that  there  is  a  proof  term  Pi  of  Gi,  we 
can  use  the  function  represented  by  X  to  obtain  a  proof  term  of  G2.  If  the  original  goal  formula 
G2  can  now  be  proven  from  the  an  extended  set  of  assumptions  —  extended  by  new  assumption 
that  there  is  a  proof  Y  of  D  —  then  we  are  all  set.  Let  P2  be  the  proof  term  for  the  formula 
G2.  The  proof  term  which  is  defined  by  the  rule  has  to  reflect  the  relationship  between  the  Y 
and  Pi.  The  intended  meaning  of  the  new  program  is:  Instantiate  the  meta  variable  Y  with  the 
application  of  X  to  P.  We  have  to  combine  two  different  programs  to  build  up  this  proof  term. 
First  the  program  for  instantiation  is  as  follows:  let  P3  be  Y  in  P2.  The  program  P3  is  derived 
by  applying  X  to  Pi:  (app  X  Pi).  Here  is  the  version  of  the  rule  implication  on  the  left. 

ri,xegi^£>,r2hsPi  €Gi  TuXeGi^D,T2,YeD\-^P2eG2 
ri,XeGi-^P,r2hs(let(appXPi)beyinP2)€G2 


The  next  rule  is  universal  quantification  on  the  left.  This  rule  is  applicable  if  there  is  a 
universally  quantified  formula  VU  :  Aq.D  in  the  context.  Let  Pi  be  a  proof  term  of  Aa-  This 
proof  term  can  be  interpreted  as  an  LF  object  of  type  Aq-  Since  we  can  use  the  function  X 
to  obtain  a  proof  term  of  type  [Pi/y](P),  the  set  of  assumptions  for  can  be  extended  by  the 
assumption  X  is  a  proof  term  of  formula  [Pi/y](P).  If  G  is  now  provable,  we  obtain  a  proof 
term  P2.  The  proof  of  the  rule  is  constructed  in  the  same  way  as  in  rule  L  application  and 
instantiation  have  to  be  combined.  The  proof  term  has  the  form:  (let  (app  X  Pi)  be  Z  in  P2). 


ri,x  €  vy  :  Ag.d,V2  He  Pi  g  Ag  ri,x  g  vy :  AG.P,r2,x  g  [Pi/y](P)  i-e  P2  g  g 

— - ^ - LV 

Fi ,  X  G  vy  :  Ag.P,  T2  l-E  (let  (app  X  Pi)  be  X  in  P2)  G  G 
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The  existential  rule  on  the  left  corresponds  to  the  conjunction  rule  on  the  left.  It  is  applicable 
if  3y  :  Ag-D  is  an  assumption  in  the  context.  This  implies,  that  the  witness  object  is  available 
and  also  a  proof  term  of  [Xi/y](D),  where  Xi  represents  the  witness  object.  This  proof  term 
is  represented  by  X2 .  Let  P  be  a  proof  term  of  the  goal  formula  G  proven  from  this  extend  set 
of  assumptions.  It  can  be  shown  that  {(inx  Xi  X2)}  is  a  sound  and  complete  set  of  patterns 
for  3y  :  Aq.D.  Therefore  the  proof  term  has  the  form  :  (case  X  of  (inx  Xj  X2)  =>  P). 

ri,x  6  3y  :  Ag.P),r2,Xi  e  a^,X2  e  [Xi/y]{d)  hg  p  g  g 

Ti,  X  G  3y  :  Ad.D,  T2  He  (case  X  of  (inx  Xi  X2)  P)  G  G 

This  concludes  the  presentation  of  the  set  of  rules  which  are  defined  a  long  the  lines  of 
[Gal93].  Next,  we  define  a  set  of  rules,  which  treats  embedded  Il-abstraction  as  data  formulae. 

LF  related  rules  Assume  we  have  an  assumption  of  a  functional  LF  type  in  the  actual 
context.  This  assumption  is  of  the  form:  Ila:  :  Aq.Ad-  MLF  is  allowed  to  look  inside  the 
embedding  function.  Assume  we  can  find  a  proof  term  of  the  formula  Aq.  This  proof  term 
might  be  of  arbitrary  form  P' .  Since  we  know  that  P'  can  be  projected  to  the  LF  level,  we  can 
define  an  additional  assumption  ((Ha;  :  Aq.Ad)  E!)  with  which  G  is  to  be  proven.  It  is  obvious 
that  the  embedded  type  is  not  pure.  To  preserve  purity,  we  restrict  the  form  of  the  proof  term 
to  be  either  M  or  a  metavariable  X.  We  obtain  the  following  rules: 

FijX  G  Rx  :  Ag.Ad.iT2  Fs  M  G  Ag 

ri,X  G  Rx  :  Ag.Ad,T2.iY  G  {M / x}typ^{AD)  P  £  G 

- - - - Ln 

ri,x  G  n® :  Ag.Ad,T2  Fs  [X  M/y](P)  g  g 


and 

ri,X  G  Ila:  :  Ag.Ad,T2  Fe  Z  G  Ag _ 

ri,X  G  Ha;  :  Ag-Ae),  r2,y  G  {ZJ x}type{AD)  Fe  P  £  G 

- _____ - ^ - Lnv 

ri,X  G  Hx  :  Ag.Ad,T2  Fe  [X^y](P)  G  G 

We  will  discuss  the  notion  of  purity  in  MLF  in  more  detail  in  section  4.1.  It  seems  as  if  we 
restricted  the  application  possibilities  for  this  rule  quite  a  lot.  But  it  turns  out  that  in  all  the 
examples  we  were  experimenting  with,  no  negative  indication  occured  that  restriction  to  M  and 
X  is  to  strong. 

The  second  LF  related  rules  are  as  follows:  Both  previous  rules  assumed  an  embedded  Il-type 
to  be  declared  in  the  context.  This  is  not  the  only  place  where  Il-types  are  defined:  constants 
of  Il-types  are  defined  in  the  signature.  The  motivation  for  the  next  rule  is  to  connect  MLF 
to  the  signature.  The  rules  are  very  similar  to  LII  and  LIIV  —  the  only  difference  is,  that 
IIx  :  Aq.Ad  is  part  of  the  signature  and  not  of  the  context.  Note,  that  we  have  to  apply  the 
same  argument  to  motivate  the  restriction  of  considering  only  programs  M  and  meta  variables 
Z  and  not  arbitrary  programs  of  the  form  P'  as  proof  terms  of  Ag.  We  define  the  following  two 
rules: 
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r  I-E  M  e  Ag  r,  y  €  {M/a;}type(Ao)  t-E  p  e  G 

- - - LnS  where  c  :  Ha;  :  Aq.Ad  £  S 

r  hs  [c  M/y](p)  €  G 

and 


r  I-E  ^  €  Ag  r,  y  e  {z/x}type(Ao)  i-e  p  e  g 
r  hs  [^/Y]{P)  €  G 


Lnsv 


where  c  :Ilx  :  Aq-Aj)  G  S 


To  complete  the  inference  rule  system  of  MLF  we  have  to  define  two  more  rules.  The  case 
distinction  rule  is  still  missing  and  also  the  cut  rule,  which  allows  application,  and  the  reuse  of 
already  proven  lemmata. 


Case  Distinction 

Next,  we  introduce  the  case  distinction  rule.  For  inductive  proofs  over  inductively  defined 
types  case  distinction  is  a  common  proof  strategy.  Several  systems  which  can  perform  meta 
level  reasoning,  like  Coq  [C"^95],  PVS  [ORS92,  RSC95]  and  others,  possess  an  inductive  proof 
component.  They  are  based  on  the  generation  of  induction  principles.  MLF  does  not  follow  this 
idea  but  provides  recursion  and  case  distinction  as  the  major  components  for  inductive  proofs. 
We  outline  the  motivation  behind  the  definition  of  the  case  distinction  rule. 

Assume  we  want  to  derive  a  judgment  of  the  form  F  hj:  Q  G  G  where  X  is  a  free  variable 
in  G,  and  possibly  also  in  F.  X  must  be  defined  in  F,  otherwise  F  is  not  well-formed.  Suppose 
that  X  is  a  variable  of  the  goal  formula  Aq-  The  idea  is,  that  if  we  find  a  proof  term  P  of  Aq 
we  would  like  to  restrict  the  proof  by  considering  the  different  forms  the  program  P  can  take. 
The  form  of  P  leads  to  a  set  of  subproofs,  where  F  and  G  are  refined. 

The  form  of  the  program  P  is  arbitrary.  Using  an  appropriate  reduction  relation,  P  can  be 
rewritten  to  M.  M  is  an  LF  object  of  type  Aq  in  context  F.  The  different  forms  M  can  take  is 
defined  by  the  signature.  Since  S  is  fixed,  it  is  possible  to  derive  a  sound  and  complete  set  of 
patterns  for  Aq-  But  how  can  this  set  be  determined?  The  question  is  challenging  because  Aq 
is  a  dependent  type. 

A  sound  and  complete  set  of  patterns  for  Aq  can  be  found  by  selecting  a  certain  subset  of 
the  signature  S  —  call  it  S'  for  now.  S'  should  contain  only  object  constant  declarations  and 
not  type  constant  declarations:  For  all  object  constant  declarations  c  :  Ad  in  S'  the  following 
must  hold:  Aq  must  be  refinable  into  a  type  Ad  —  but  Ad  might  be  not  atomic.  In  general  it 
has  the  form 

Ad  =  na;i  :  AgdAIxu  :  Aqu^  Ap 

If  we  assume  that  there  are  proof  terms  Xi  G  Aqi  up  to  Xn  G  Aon?  we  can  transform  Ad  into 
an  atomic  type: 

Ap'  =  {^Xi..^Xn}{Ap) 

If  this  type  Ap  is  a  refinement  of  the  original  type  Ag,  then  (c  Xi..X,^)  is  a  pattern  of  an  object 
of  the  refined  type  Ag- 
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We  will  now  make  this  notion  of  refinement  more  precise.  E'  was  defined  as  a  subset  of  the 
signature.  Every  declaration  in  S'  contributes  to  a  refinement  of  the  type  The  refinement 
is  essentially  a  substitution  which  unifies  Aq  and  Ap\  These  observations  lead  to  the  definition 
of  the  refinement  of  a  type: 

Definition  3.30  (Refinement  of  types)  (A,  0)  is  a  refinement  of  X  G  Aq  in  context  T  using 
c  :  na^i  :  AGi--IiXn  :  Aqu*  ^f  if  ihe  following  conditions  hold: 

L  {Xi,,Xn}  are  fresh  meta  variables  in  T 

2.  ©'  -  VimiY({Xi/xi..Xnlxn\(Ap)  «  Ag) 

3.  0  =  0'ldo„(r)U(c^..^X) 

4-  A  is  inductively  defined  as  A^: 

Ao  =  *  _ 

Ai-j-l  —  A>fi^Xi^\  G  \X\f  X\,,X{I  tvve{AQ{^-\  ) 

Note,  that  the  unification  problem  is  a  real  unification  problem  and  not  only  a  matching 
problem.  This  becomes  immediately  evident,  when  looking  at  the  following  example:  Assume 
that  we  can  derive  a  program  P  froin  a  context  F  of  type  F  G  eval  T  (s  z).  Obviously,  the 
meta-variable  Y  must  be  declared  in  the  context  F.  If  we  perform  the  unification  algorithm  to 
match  this  formula  with  eval  (s  Xi)  (s  X2)  we  obtain  the  following  substitution  O: 

0  =  (^/y,z/X2 

Strictly  speaking,  the  substitution  consists  of  two  parts,  a  refinement  part  and  a  so  called  veri¬ 
fication  part:  The  refinement  substitution  assigns  terms  made  of  new  variables  to  old  variables. 
In  this  example,  the  refinement  substitution  has  the  form  0^  =  [(s  Xi)/Y],  The  other  part  of 
the  substitution  we  is  called  verification  substitution.  In  this  case  the  newly  introduced  vari¬ 
ables  are  assigned  to  subterms.  In  the  example  above,  the  verification  substitution  has  the 
form:  0^  =  ^/X2]-  Obviously,  z  is  not  further  refinable.  The  verification  part  of  a  substitution 
therefore  does  not  contribute  to  the  form  of  the  refinement,  but  it  simply  carries  the  information 
that  it  is  possible  to  make  the  given  term  and  the  term  taken  from  the  signature  equal.  The 
verification  part  of  the  substitution  is  not  of  our  concern,  it  is  handled  by  the  rule  as  we  will  see, 
when  we  actually  define  the  case  rule.  The  part  of  the  substitution  we  need  is  the  refinement 
substitution.  To  obtain  the  refinement  substitution  we  have  to  restrict  the  substitution  0  in  the 
definition  of  Ind^^r{X^  B)  to  the  domain  of  F. 

Based  on  this  definition,  we  define  a  set  of  all  possible  refinements:  Inds^r(A^5  Ag)‘  X  is 
the  variable,  induction  is  made  over,  Aq  its  formula.  To  obtain  now  the  set  of  all  possible 
constructors,  we  have  to  select  all  those  declaration  c  :  Ap  which  may  refine  Ag-  Ind5:^r(A^j  Ag) 
is  a  set  of  pairs  (A,  0): 

Definition  3.31  (Inductive  type)  Let  F  be  context^  Yt  be  a  signature,  X  a  variable,  and  Ag 
be  an  atomic  LF  type.  The  inductive  type  of  X,  Ag  with  respect  to  F  and  S  is  defined  as 

Ind^^r{XyAG)  = 

{(A,0)|(A,  0)  is  a  refinement  of  X  £  Ag  in  context  F  using  c:  A  in  E} 
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In  the  definition  of  the  case  rule  we  distinguish  between  all  different  refinements  in 
IndE,r(-^,  ^g)-  The  case  rule  has  therefore  as  many  premisses  as  IndY.,r{X,  Aq)  has  elements. 

There  are  many  different  ways  of  how  to  define  the  case  rule.  For  our  system,  we  want  the 
case  rule  to  have  the  following  property:  The  inductive  argument  is  assumed  to  be  carried  out 
for  a  more  general  atomic  type.  When  specializing  the  atomic  type  by  a  substitution  ??,  the 
same  proofs  of  the  premisses  should  be  still  valid.  77  incorporates  the  verification  part  of  the 
substitution  0„.  Here  is  the  rule: 


l-E  [P/X](T)  ctx 


[p/xi(r)i-E 


for  all  i  <  n 

r  l-E  F  G  ,  [0(*)]  (F')  hs  F«  G  [0(’)]  (G") 


fcase  P  of 


\ 

G  [P/X]{G) 


VI  c„y/"V..i^=^[77](pW)  / 


case 


where  following  side  conditions  hold: 

1.  Inds,r(A:,AGO  =  {(A(i),0W)..(A("),0("))} 

2.  There  is  a  77  s.t.  [77] (Ag')  =  Ag,  [J7](r')  =  F  and  [77] (G')'  =  G 

Lemma  3.32  A^®^  and  0^*^  enjoys  the  following  properties: 

Frce(A(®))  C  Pg} 

yar(A«)  =  {Dg,...,Dg} 


(3.6) 

(3.7) 


hs  A(®)  ctx 


0W 


is  strictly  pure 


(3.8) 

(3.9) 


Proof;  For  all  €  Ind-£^r{X,  Aq),  the  Ap’s  in  the  definition  (A(®V0^®^)  are  declared 

in  the  signature  and  therefore  closed.  Consequently  (3.6)  and  (3.7)  hold.  0(®)  is  strict  because 
of  construction,  an  inductive  argument  yields  hs  A^®)  ctx  □ 


The  Cut  rule 

The  definition  of  the  cut  rule  is  similar  to  the  one  introduced  in  [Pfe94c].  The  definition  is  not 
straightforward  because  of  dependencies:  the  problem  lies  in  the  choice  of  how  to  relate  the 
contexts  of  the  premisses  with  the  context  of  the  conclusion.  For  every  element  X  £  D  ia  the 
context  F  of  a  sequent,  all  introduced  variables  which  are  introduced  in  F  before  X  can  possibly 
occur  in  D. 

Looking  at  the  cut  rule  from  top  to  bottom,  the  cut  rule  can  be  interpreted  as  a  way 
to  perform  application:  Assume  we  have  a  proof  of  F  (fun  X.P)  £  MX  :  Ad-G.  This 
sequent  can  be  read  as:  In  a  certain  context  F,  a  program  was  found  which  for  every  element 
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m  Ad  yields  a  proof  term  of  goal  formula  G.  Suppose  now  that  we  have  a  different  sequent, 
ri,F  G  'iX  :  Ag.G,  r2  hs  P'  G  G'.  This  sequent  reads  as  follows:  Under  the  assumption  that 
we  have  a  program  of  the  data  formula  'iX  :  Aq-G,  we  effectively  can  construct  a  proof  term  of 
some  goal  formula  G'.  The  purpose  of  the  cut  rule  is  it  to  combine  both  proof  terms  to  a  proof 
term  which  witnesses  the  following  judgment:  From  the  remaining  contexts  of  both  participating 
sequents  a  proof  term  for  the  goal  formula  G'  can  be  constructed. 

Because  of  the  definition  of  goal  and  data  formula,  the  universally  quantified  formulae  might 
not  be  identical  in  both  sequents.  We  therefore  must  restrict  the  cut  formula  to  be  a  core  formula 
—  as  in  the  case  for  recursion.  We  have  seen  that  every  core  formula  is  a  data  formula  and  a 
goal  formula. 

The  cut  rule  is  defined  as  follows:  Two  sequents  can  be  cut  with  each  other,  if  a  core  formula 
C  occurs  as  a  goal  formula  in  one  sequent  and  as  a  declaration  X  G  C  in  the  context  of  the 
other  sequent.  The  declaration  of  the  cut  formula  from  the  second  sequent  is  removed  and  every 
free  occurrence  of  X  is  replaced  by  the  proof  term  of  the  first.  Note,  that  the  variable  X  cannot 
occur  free  in  the  context  of  the  first  sequent.  The  context  of  the  first  sequent,  must  be  the  initial 
context  of  the  second.  In  the  second  context  the  meta  variable  X  is  already  declared.  Therefore 
the  second  sequent  wouldn’t  be  provable  because  the  context  is  not  well-formed.  Here  is  the 
definition  of  the  cut-rule: 


Fif-sPGC  ri,XGC,r2i-sP'eG 

- cut 

Fi,  [P/X](r2)  hs  [P/X]{P')  G  [P/X](G) 

This  concludes  the  set  of  typing  rules  for  F  hs  P  G  G.  In  the  next  chapter  we  will  describe 
some  theoretical  properties  of  MLF. 
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Chapter  4 

Theoretical  Aspects  of  MLF 


This  chapter  states  some  proof  theoretic  results  about  MLF.  The  system  as  we  have  defined  has 
to  be  analyzed  appropriately.  In  section  3.3  we  defined  the  difference  between  objects  and  pure 
objects.  We  define  now  two  differently  strong  notions  of  purity  preservation.  Then  we  show  that 
MLF,  as  we  defined  it  preserves  purity  according  to  the  weaker  notion.  If  we  refine  the  system 
slightly,  we  can  prove  purity  preservation  in  the  stronger  sense. 

The  second  result  we  show  is  a  local  reduction  theorem.  The  local  reduction  theorem  is 
the  first  step  towards  a  cut  elimination  theorem.  A  general  cut  elimination  theorem  might 
be  to  general  —  if  provable  at  all  —  and  its  proof  would  be  beyond  the  scope  of  this  thesis. 
Important  results  on  the  way  to  the  local  reduction  theorem  are  the  admissibility  of  weakening 
and  contraction. 

This  chapter  is  organized  as  follows:  In  the  first  section  we  give  the  purity  results,  and  the 
second  we  give  the  local  reduction  proof. 


4.1  Purity  results 

The  notion  of  purity  was  defined  to  distinguish  between  objects  which  can  depend  on  meta 
variables  alone  and  objects  which  depend  on  composite  programs.  In  this  section  we  examine 
how  purity  and  MLF  go  together.  We  show,  that  the  system  we  defined  in  section  3.3  preserves 
purity  in  the  way,  that  if  all  contexts,  programs  and  formula  participating  in  the  premisses  are 
pure,  then  the  context,  program  and  formula  in  the  conclusion  are  pure.  In  a  next  step  we 
will  generalize  the  inference  system  of  MLF  to  a  stronger  inference  system,  called  the  inference 
system  for  pure  MLF.  Now  we  can  prove  for  the  cut  free  fragment,  that  if  F  hj;  P  €  G  is 
derivable,  and  F  and  G  are  pure,  then  the  resulting  program  P  must  be  pure,  too.  We  call 
both  results  purity  preservation  results.  In  the  first  case,  purity  is  preserved  with  respect  to  rule 
application,  in  the  second,  purity  is  preserved  with  respect  to  derivations. 

4.1.1  Basic  Results 

In  section  3.1  we  also  introduced  the  notion  of  pure  and  strictly  pure  substitutions.  A  pure 
substitution  is  a  substitution  in  which  are  participating  programs  are  pure.  It  is  obvious,  that 
the  application  of  a  pure  substitution  to  a  pure  object  may  generate  an  impure  object.  Since 
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we  want  to  say  something  about  pure  objects,  it  makes  sense  to  strengthen  the  definition  of 
pure  substitution,  to  classify  those,  which  generate  pure  programs.  We  call  those  substitutions 
strictly  pure.  It  is  also  clear,  that  the  participating  programs  must  not  longer  be  arbitrary 
programs  but  meta  variables  and  embedded  LF  objects. 

For  strictly  pure  substitutions,  we  have  to  show  some  basic  results  first:  Strictly  pure  substi¬ 
tutions  are  doing  what  they  are  supposed  to  do,  namely  to  preserve  purity  when  being  applied 
to  something.  Second,  we  show  that  the  reverse  also  holds:  If  we  have  for  a  example  an  object 
which  is  the  result  of  the  application  of  an  arbitrary  substitution  to  it,  and  it  is  known  that 
this  result  object  is  pure,  then  the  original  object  must  have  been  pure.  Or,  to  put  it  the  other 
way  around:  No  impure  object  can  turn  pure  by  applying  a  substitution  to  it.  A  third  result  is 
similar  to  the  second.  If  we  have  a  pure  object,  which  is  the  result  of  a  substitution  on  an  object 
M,  and  this  result  is  pure,  then  the  substitution  must  be  strict,  at  least  in  the  variables,  which 
are  used  to  produce  the  result  object.  These  variables  are  the  free  variables  occuring  in  M.  Or 
again,  we  can  put  this  result  the  other  way  around.  If  we  substitute  into  an  object  programs 
which  are  neither  meta  variables,  nor  the  embedded  LF  objects,  then  the  result  cannot  be  pure 

We  will  give  these  basic  results  first  for  objects  and  types,  then  for  programs,  formulae  and 
finally  for  contexts.  Since  we  have  dependencies  between  objects  and  types,  we  have  to  prove 
some  of  the  theorems  by  mutual  induction.  Here  are  the  three  theorems  for  pure  objects  and 
pure  types.  The  proofs  are  done  by  induction,  the  detailed  proofs  are  given  in  appendix  B. 


Basic  Results  for  Objects  and  Types 

By  mutual  induction  we  can  show,  that  strict  0  applied  to  objects  or  types  preserve  purity. 

Lemma  4.1  Let  M'  be  a  pure  object j  A'  a  pure  type,  and  0  a  strictly  pure  substitution^  i,e. 
0(Ar)  =  Y  or  0(X)  =  M  for  all  X  €  dom(0).  Then  0(M')  is  pure  and  0(A')  is  pure. 

On  the  other  side,  we  can  show  that  substitutions  cannot  purify  objects 


Lemma  4.2  Let  @  be  a  substitution  and  [0](M)  be  a  pure  object.  Then  M  is  pure, 
and  types 


Lemma  4.3  Let  ©  be  a  substitution  and  [0](A)  be  a  pure  type.  Then  A  is  pure. 


The  third  result  has  to  be  shown  by  mutual  induction  on  objects  and  types.  If  0  generates 
a  pure  result  object/type,  then  0  must  be  strict  at  least  in  the  variables,  which  are  used  to 
produce  the  result  object: 


Lemma  4.4  ,  Let  0  be  substitution^  M  object  and  [&\object{AI)  pure  and  A  be  a  type  and 

[©]type{A)' pure.  Then  must  be  strict  and  ©\pree(A)  is  strict. 
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Basic  Results  for  Programs 

Strict  0  are  preserving  purity  for  programs: 

Lemma  4.5  Let  P'  be  a  pure  program  and  0  a  strictly  pure  substitution.  Then  0(P')  is  pure. 

And  impure  programs  cannot  be  purified  by  substitution  application: 

Lemma  4.6  Let  Q  be  a  substitution  and  [0](P)  be  a  pure.  Then  P  is  pure. 

The  third  result  we  had  for  objects  and  types,  will  surely  not  be  available  for  programs:  Assume 
0  be  a  substitution,  and  P  =  (pair  Pi  D2)  a  program,  with  Pi,P2  variables.  0(P)  = 
(pair  0(Pi)  0(;P2))  is  pure  program,  even  for  arbitrary  pure  programs  0(Pi)  and  0(^2)- 

Basic  Results  for  Formulae 

The  results  in  the  case  of  formulae  are  straightforward.  All  the  lemmas  are  easy  to  prove  by 
induction  and  we  obtain  the  following  three  lemmata: 

Lemma  4.7  Let  be  a  pure  formula  and  0  a  strictly  pure  substitution.  Then  0(G')  is  pure. 

Lemma  4.8  Let  Q  be  a  substitution  and  [0](G)  be  a  pure  formula.  Then  G  is  pure. 

Lemma  4.9  Let  0  be  substitution^  G  formula  and  [&\formula{G)  pure.  Then  0|i?ree(G)  strict. 

It  is  clear,  that  the  proofs  of  these  lemmata  will  refer  to  the  basic  results  we  obtained  for  types 
since  types  may  be  embedded  into  formulae. 

Basic  Results  for  Contexts 

And  finally,  we  prove  two  of  the  basic  results  for  contexts.  We  will  not  need  a  strictness  lemma 
for  the  purity  analysis  of  MLF. 

Lemma  4.10  Let  F'  be  a  pure  context  and  0  a  strictly  pure  substitution.  Then  0(r')  is  pure. 

Lemma  4.11  Let  Q  be  a  substitution  and  [0](r)  be  a  pure  context.  Then  V  is  pure. 

So  far,  we  presented  some  properties  of  objects,  types,  programs  and  formulas.  Strictly  pure 
substitutions  preserve  purity.  We  now  want  to  tackle  a  bigger  problem:  What  can  be  said  about 
the  type  system  for  MLF  rules?  We  consider  two  properties  of  MLF: 

1.  Purity  Preservation  of  typing  rules:  If  every  context,  program  and  goal  formula  are  pure 
in  the  premiss  of  a  rule,  then  the  context,  program,  and  goal  are  pure  in  the  conclusion. 

2.  Purity  preservation  of  derivations:  If  we  have  a  proof  of  F  hj:  F  G  G  and  we  assume  F,  G 
pure,  then  P  is  pure. 
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To  enforce  the  second  question,  we  have  to  change  the  set  of  rules.  For  example  the  rule  LV 
has  the  premiss  FijX  6  W  :  Aq-D, r2  Pi  €  Aq-  Under  the  assumption  that  the  context 
Fi,  X  G  VF  :  Ag.-D,  F2  is  pure  and  therefore  Ag  pure  we  could  prove  that  the  proof  term  P  is 
pure.  But,  when  looking  at  the  second  premiss:  Fi,  X  G  VF  :  Aq.D,  F2,  Z  G  [Fi/F](D)  hs  P2  € 
G  we  see,  that  the  substitution  Pi/Y  is  not  strictly  pure.  As  mentioned  earlier  purity  is  not 
necessarily  preserved  by  a  non-strict  substitution  application.  There  is  one  remedy  to  this:  The 
proof  system  has  to  be  weakened  by  enforcing  the  substitution  to  be  pure.  We  will  show  this  in 
subsection  4.1.3.  In  the  next  subsection  we  address  the  first  property. 


4.1.2  Purity  Preservation  of  MLF  Rules 

We  will  now  prove  the  weaker  formulation  of  the  purity  result  for  the  MLF  inference  system. 
We  remark,  that  we  have  to  establish  a  side  condition  for  the  case  rule  for  this  argument  to 
go  through.  The  side  condition  is  as  follows:  In  the  premiss  of  the  rule,  we  have  the  formula 
Aq,  which  defines  implicitly  the  different  cases:  Aq  is  an  instantiation  of  Aq',  which  is  used  to 
define  Inds,r(^)  Ag').  In  the  original  formulation  of  the  rule  nothing  is  said  about  the  purity 
of  Ag'.  We  have  to  assume  that  Ag'  is  pure.  The  refined  version  of  the  rule  is  given  below. 


for  all  i  <  n 

hs  [P/A](F)  ctx  F  l-E  P  G  A«,  [©(*)]  (F')  P(’)  G  [0W](G') 


/  case  P  of 


[p/xm  hs 


\ 


case 


c,  yI'\..yS 


H(p<‘)) 


e  [p/jf](G) 


\i  ^  I 

where  following  side  conditions  hold: 


1.  Ag'  is  pure 

2.  IndE,r(X,AG')  =  {(AU),0(i))..(A(n),0(n))} 

3.  There  is  a  ??  s.t.  M(Ag')  =  Ag,  M(F')  =  F  and  [r]]{G')  =  G 

It  seems  to  us,  as  if  this  additional  restriction  does  not  restrict  the  applicability  for  the  rule 
at  all.  The  framework  is  designed  to  reason  about  LF.  Therefore  we  expect  the  type  AG'  to 
be  an  LF  type  about  which  induction  should  be  made  —  a  type  which  is  a  generalization  of 
AG:  there  exists  a  77,  s.t  Ag  =  [7/](Ag').  Assume,  that  AG'  is  impure.  We  can  easily  construct 
a  more  general  LF  type  AG" which  result  from  AG'  by  replacing  all  impure  subprograms  by 
fresh  variables.  This  can  be  expressed  as:  there  is  a  substitution  77',  and  a  pure  Ag",  s.t. 
Ag'  =  [77'] (Ag").  Hence  Ag"  is  a  pure  generalization  of  Ag:  Ag  =  [7?°  7?'](Ag"). 

We  conjecture  that  the  case  rule  in  the  MLF  framework  can  be  replaced  by  case',  without 
loss  of  generality. 


Theorem  4.12  Every  typing  rule  in  MLF  without  cut  is  purity  preserving.  That  is,  when  the 
premisses  are  pure  ( all  participating  objects,  types,  programs,  formulae,  and  contexts  are  pure ) 
the  conclusion  will  be  pure,  too. 
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Proof:  Case:  case':  We  can  assume  F  to  be  pure,  therefore  [P/X]  is  strictly  pure  and  by  lemma 
4.10  we  obtain  [P/X]{r)  is  pure.  From  lemma  4.7  we  obtain  that  [P/X]{G)  is  pure.  By 
assumption  Aq  is  pure,  therefore  Aq  is  a  pure  type.  [ri\{AG^)  is  pure  by  the  side  conditipn 
of  the  rule,  therefore  v\Free(AG')  strictly  pure  by  lemma  4.4.  Since  rj  =  v\Free{AG')^  is  a 
strictly  pure  substitution.  Consequently  for  all  i:  is  pure,  and  therefore  the  proof 

term  is  a  pure  program. 

Other  cases:  straightforward. 

□ 

Theorem  4.12  shows,  that  the  rules  of  MLF  preserve  purity.  This  result  is  very  useful,  because 
the  framework  we  designed  should  be  restricted  to  pure  objects,  pure  types,  pure  formulae  and 
pure  programs  only.  Committing  ourselves  to  consider  only  a  system  of  inference  rules  which 
preserves  purity  in  this  sense,  does  not  seem  to  be  of  any  disadvantage  in  terms  of  expressive 
power.  In  contrary,  it  makes  it  very  clear,  which  LF  object  and  which  LF  type  is  used  where 
and  how.  In  the  following  subsection  we  will  even  go  a  step  further  and  restrict  the  inference 
system  for  MLF  a  little  more.  The  result  is  a  system  we  call  pure  MLF. 

4,1.3  Pure  MLF 

The  goal  of  this  subsection  is  to  refine  the  inference  system  of  MLF  to  obtain  a  system  we  call 
pure  MLF.  Pure  MLF  has  the  advantage,  that  form  a  derivation  of  F  -P  ^  G  sind  F,G  pure 
in  cut  free  MLF,  P  can  be  shown  to  be  pure. 

We  demonstrate  the  underlying  idea  at  the  example  of  the  existential  rule  on  the  right:  It 
has  has  currently  the  following  form: 

ri-EP'eA^  rh^Pe[P'/x]{G) 

- R3 

F  hs  (inx  P'  P)  G  ax  :  Aq^G 

We  want  to  avoid  the  generation  of  any  impure  objects,  types,  programs  or  formulae:  there¬ 
fore  the  rules  must  be  restricted  to  work  on  guaranteed  pure  version  of  objects,  types,  programs 
and  formulae.  We  observe  that  the  rule  R3  does  not  fulfill  this  criteria,  because  [P'/X](G)  may 
not  be  pure.  This  can  happen  because  nothing  is  said  about  the  form  of  P'.  Since  [P'/X](G) 
must  be  a  well  formed  formula,  we  know  because  of  lemma  4.9  that  the  substitution  [P'/X] 
must  be  strict.  Consequently  P'  can  have  two  forms:  P^  =  Y  or  P'  =  M,  The  existential  rule 
can  therefore  be  refined  into  the  following  two  rules: 

T]-^YeA3  T\~^Pe[Y/X]{G) 

- ^ - R3' 

Fh-E  (inxY  P)  g3X:  Ag.G 
and  the  rule  where  P'  is  replaced  by  M: 

FhsMGA^  Fhj:  PG  [M/X](G) 

- z= - ^R3" 


F  h-E  (inx  M  P)  G  3X  :  Aq.G 
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The  same  argument  can  be  applied  to  LV  and  we  obtain  the  two  refined  version  of  LV: 


ri,x  6  vy :  Aq.d, r2  i-s  €  Ag  VuXew-.  AG.D,V2,ze  [Xi/y]{d)  i-s  P2  e  g 

~  Fi,  X  G  VF  :  Aq.d,  T2  bs  (let  (app  X  Xi)  be  Z  in  P2)  G  G 


LV' 


and 


Fi,  X  G  Vy  :  Ag.D,  F2  hs  M  G  Ag  Fi,  X  G  VF  :  Ag-D,  F2,  Z  G  [M/Y]{D)  Fe  P2  G  G 

- - - Ly// 

Fi,  X  G  VF  :  Ag.D,  F2  hs  (let  (app  X  M)  be  Z  in  P2)  G  G 


A  third  refinement  we  have  to  do  is  again  concerned  with  the  case  rule.  In  the  previous 
subsection  we  refined  case,  by  establishing  a  new  side  condition:  Ag^  has  to  be  pure.  This  will 
not  be  enough  for  our  following  considerations:  We  have  to  establish  a  second  side  condition: 
Ag  by  itself  must  be  pure,  too.  Here  is  the  new  rule  case": 


for  all  i  <  n 

l-E  [P/X](F)  ctx  F  l-E  P  e  A^  A(’),  0(*)(F')  Fe  P(*)  G  0(‘)(G') 


/  case  P  of 


[p/xm  fe 


\ 


■  case'^ 


Cl  [7/](P(l)) 


G  [P/X](G) 


Vi  c„^...i^=^M(pW) ; 

where  following  side  conditions  hold: 


1.  Ag,  Ag'  is  pure 

2.  IndE,r(X,AG')  =  {(A(i),  0(i))..(A("),  0("))} 

3.  There  is  a  7;  s.t.  [7?](Ag')  =  Ag,  M(F')  =  F  and  [»7](G')  =  G 


We  call  this  refined  version  of  the  inference  system  for  MLF  as  pure  MLF.  We  have  mentioned 
at  the  beginning  of  this  chapter,  that  the  inference  system  of  MLF  is  not  powerful  enough  to 
prove  the  following  observation:  Whenever  F  is  a  pure  context,  and  G  is  a  pure  formula  and  a 
derivation  F  F  P  G  G  holds,  then  P  is  a  pure  program.  In  pure  MLF,  we  have  all  the  ingredients 
to  make  the  proof  go  through: 

Theorem  4.13  (Generalized  Purity  Preservation)  Let  T  be  a  pure  context,  G  a  pure  for¬ 
mula,  P  a  program,  and  V  a  derivation  o/X>  ::  F  Fe  P  €  G  m  the  inference  system  of  pure  MLF 
without  Cut.  Then  P  is  pure. 


Proof:  By  induction  over  the  derivation  V: 

Case:  case':  [P/X](F)  is  pure.  If  X  G  Pree(F)  then  F  is  pure  by  lemma  4.6,  else  F  is  pure.  If 
X  G  Pree(G)  then  G  is  pure  by  lemma  4.8,  else  G  is  pure.  B  is  pure  and  B'  is  pure,  and 
therefore  [7/](P')  is  pure.  By  lemma  4.4  we  obtain,  that  rj  =  r]\preeB'  is  strict.  We  have 
[7/](F')  is  pure  (because  F  is  pure)  and  because  of  lemma  4.11  we  obtain  F'  is  pure.  The 
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same  argument  holds  for  which  is  pure  since  G  is  pure.  Because  of  lemma  4.8  we 

know  that  G'  is  pure,  too.  Because  of  construction  is  pure  for  all  i.  Thus,  0(®)(r') 
is  pure.  is  pure,  too,  because  of  construction.  And  finally  is  pure  because  G 

is  pure.  Therefore  we  can  apply  the  induction  hypothesis  and  obtain  that  the  P(®)’s  are 
pure  for  ail  i.  Therefore  the  are  pure,  and  hence  the  proof  term 

fcase  P  of  \ 

Cl  [r/](pW) 


VI  / 


is  a  pure  program. 

Case:  All  other  cases  straightforward. 


□ 


4.1.4  Result 

In  this  section,  we  analyzed  the  notion  of  purity  with  respect  to  MLF  and  a  refined  version  of 
MLF.  We  saw,  that  both  systems,  MLF  and  pure  MLF  preserve  purity.  Working  in  pure  MLF 
has  the  big  advantage,  that  if  we  do  not  use  the  Cut  rule  in  proofs,  a  purely  stated  goal  G 
implies  that  the  program  P  is  pure.  This  is  because  theorems  are  stated  as  •  hs  P  G  G  with 
an  empty  context.  Therefore,  if  the  goal  G  is  pure  and  since  cut  is  not  used,  then  the  program 
we  obtain  will  be  pure.  Furthermore,  theorem  4.13  is  a  little  more  general  then  that:  It  also 
shows,  that  the  results  of  every  subderivation  in  pure  MLF  is  pure,  that  is  context,  programs, 
and  goal  formulae  will  all  be  pure.  We  can  therefore  conclude,  that  for  proof  search  without 
cut,  the  underlying  object  theory  can  be  restricted  to  pure  objects  only. 


4.2  Local  reductions 

In  this  section  we  show  the  local  reduction  property  of  MLF.  Local  reductions  are  part  of  the 
cut  elimination  proof.  At  the  moment  it  is  not  clear,  if  a  general  cut-elimination  result  holds  at 
all  or  not.  This  section  is  divided  into  two  parts.  In  the  first  part  we  give  some  lemmata  which 
are  necessary  to  perform  the  proof  of  local  reductions  theorem.  The  proofs  of  the  lemmata  can 
be  found  in  the  appendix  C.  In  the  second  part  of  this  section  we  discuss  the  problem  of  local 
reductions. 

4.2.1  Admissibility  of  Weakening  and  Contraction 

As  we  have  seen  in  the  definition  of  the  MLF  inference  rule  system,  there  are  no  structural 
rules  defined.  The  reason  was,  that  we  defined  the  system  along  the  lines  of  LJ,  as  described 
in  [Pfe94c].  The  motivation  to  forget  about  structural  rules  and  to  show  their  admissibility 
later,  is  easily  motivated.  First  of  all  we  want  to  reduce  the  complexity  of  the  inference  rule 
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system.  Second  —  as  shown  in  [Pfe94c]  —  cut  elimination  as  a  proof  becomes  suddenly  feasible 
by  structural  induction  and  not  any  more  by  induction  over  a  complexity  measure. 

The  intuitionistic  sequent  calculus  contains  three  structural  rules.  Weakening  allows  to 
add  additional  formulae  to  the  context,  that  is  the  set  of  formulae  on  the  lefthandside  of  the 
sequent  symbol.  Then  there  is  contraction,  which  allows  the  removal  of  identical  copies  of 
formulae  from  the  context.  And  finally  there  is  the  exchange  rule.  The  exchange  rule  makes 
context  independent  of  the  order  of  the  assumptions.  We  cannot  expect  the  admissibility  of  the 
exchange  rule  for  MLF,  since  formulae  can  dependent  on  variables  which  have  to  be  introduced 
earlier  into  the  context,  exchange  would  destroy  this  property.  But  fortunately,  we  can  show 
the  admissibility  of  weakening  and  contraction: ' 

Let  P  ::  r  hs  ^  6  G  be  a  derivation  of  a  sequent.  Weakening  V  means  to  add  a  new 
assumption  into  the  context  F.  The  position  of  the  inserted  assumption  is  essential  because  the 
order  of  the  assumptions  reflect  the  dependencies  of  the  types.  To  insert  an  assumption  X  £  G 
into  r  we  have  to  split  F  into  Fi  and  F2.  To  express  that  2?  is  a  derivation  which  is  weakened 
by  inserting  X  £  G  after  Fi  we  write  X>[Fi  \/  X  €  G].  First  a  little  preparatory  lemma: 

Lemma  4.14  (Context  extension)  Let  Fi,F2  be  contexts,  s.t  hs  Fi,F2  ctx.  Let  D  be  for¬ 
mula,  s.L  Fi  hs  F)  data,  then  Fs  Fi,A’  e  D,T 2  ctx 

Proof:  see  appendix  C  □ 

Recall,  that  we  do  not  check  the  context  in  every  rule.  This  is  done  only  in  the  leaves. 
While  applying  rules,  the  context  shrinks.  It  is  easily  seen,  that  this  shrinking  process  cannot 
invalidate  the  context  —  except  in  the  case  rule.  But  here,  we  make  sure,  that  the  context  is 
really  a  context,  by  adding  the  judgement  hs  [P/X](F)  as  a  new  premiss. 

Another  result  we  need  for  the  admissibility  proofs  is  how  substitution  effects  objects,  types, 
kinds  and  goals:  This  lemma  is  necessary  for  the  weakening  proof:  The  lemma  is  used  only 
in  the  case  case:  We  have  to  make  sure,  that  weakening  still  works,  even  after  applying  the 
strict  substitution  0  to  the  context  of  some  of  the  premisses.  The  lemma  would  be  easier  to 
prove,  if  we  work  with  rule  3.5,  but  since  the  proof  is  not  much  more  difficult  with  rule  3.4, 
we  simply  proof  the  more  complex  lemma.  The  proof  of  the  lemma  is  a  mutual  induction  over 
ten  judgments  simultaneously.  Later  on  we  will  have  to  prove  to  more  lemmas,  which  are  of  a 
similar  form. 


Lemma  4.15  (Substitutions  effects)  LetD  be  a  data  formula,  P  a  program,  K  a  kind,  M  an 
object  and  Ap  an  atomic  type,  Aq  a  goal  type  and  Ap  a  data  type.  Let  a  be  a  strict  substitution, 
Free{a)  fl  sup(F)  =  0  and  A  be  a  context  with  F  A  ctx  which  introduces  the  new  variables  used 
in  a.  Let  F'  =  A,  ^(F)  and  A'  —  [(t](A).  Then  for  all  F  meta  context  and  A  object  context: 


F ;  A  Fs  -K  kind  ^ 
r-,A\-E  Ap:K 
F;AFeAg:A 
F;  A  Fs  Ap  :  K 
F;  A  Fs  M  :  Ap  ^ 


F';  A'  Fs  [(t]{K)  kind 
F';A'Fs[a](Ap)[a](A) 
F';A'FsH(Ag)[(t](A:) 
F';A'FeM(Ag)H(/0 
F';A'  FE[cr](M)  H(Ap) 
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r;AI-sM:  Ag 
r;Al-sM:  Ag 

r  hs  jD  data 

r  hE  F  e  G 

hs  r  ctx 


r';A'hs[cT](M)M(AG) 
r';A'hsM(M)[a](AD) 
=>  r' l-E  [c7](£))  c?aia 
^  r'i-E  [a](F)eM(G) 

=^>  i“E  ctx 


Proof:  The  proof  goes  by  simultaneous  induction  over  the  structure  of  the  assumptions.  For 
the  base  cases  you  will  need  lemma  3.25,  especially  in  the  case  3.5.  The  strictness  condition 
is  needed  for  the  cases  LII,  LIIV  and  LIII],  LlIEV.  In  the  case  case,  we  have  to  choose  a  new 

Tf'  =  Q  OT].  □ 

This  lemma  is  needed  when  we  want  to  prove  the  admissibility  of  weakening. 


Lemma  4.16  (Weakening)  Let  V  ::  ri,r2l-EF  e  G,  £  ::  Fi  hs  F'  data  and  X'  ^ 
dom(ri,r2),  then  V\ri\l X'  G  F']  ::  ri,A'  G  F',r2l“s  P  G  G  where  X'  is  new  meta  vari¬ 
able  and  D'  is  a  data  formula,  depending  only  on  variables  in  Fi. 

Proof:  The  proof  is  done  by  induction  over  the  derivation  V.  We  describe  two  cases  here,  the 
other  cases  are  described  in  appendix  C. 

Case:  R  ->•:  By  assumption  we  have  a  sequent  of  the  form  Fi,  F2,  X  G  F  hs  F  G  G,  it  is  clear, 
that  the  induction  hypothesis  is  applicable.  Its  application  yields:  Ti,X'  G  F',  F2,X  G 
F  hs  F  G  G.  but  now  the  premiss  for  the  rule  R  ^  is  still  fulfilled,  and  we  can  apply  it 
to  obtain:  Fi,  X'  G  D',  F2  Fe  (fun  X.P)  e  D  -^G. 

Case:  case:  The  case  rule  is  a  little  bit  more  complicated.  By  assumptions  we  have  a  derivation 
for  Fi,F2  F  F  G  Ag-  By  application  of  the  induction  hypothesis,  we  obtain  Fi,X'  G 
F',  F2  F  F  G  Ag-  Note  now,  that  we  still  can  use  the  same  rj  for  the  rule,  since  Ag  didn’t 
change.  Take  the  f-th  premiss  of  the  rule:  By  lemma  3.32,  we  know  that  Fe  AF)  ctx  and 
©W  strict.  Therefore  AW,  [0(’^](Fi)  F  [0W](F')  data  by  lemma  4.15.  By  applying  the 
induction  hypothesis,  we  obtain 

A(0,  [0W](ri), X'  G  [0(*^](FO,  [0^*)](F2)  Fe  F«  g  [0(‘)](G) 


This  holds  for  all  i,  therefore  we  can  apply  the  rule  case  to  obtain 


Fi,X'gF',F2  Fe 


fcase  F  of 

Cl  =»  M(F(^)) 


\ 


gg 


VI  Cnlf)..^^M(FW)  ; 


□ 
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We  now  address  the  problem  of  the  admissibility  of  the  contraction  rule.  The  property 
of  contraction  becomes  necessary  in  the  proof  of  the  local  reduction  theorem,  the  goal  of  this 
section.  Contraction  means,  that  if  there  are  two  meta  variables  declared  in  the  context  of  the 
same  meta  formula,  all  occurrences  of  the  latter  may  be  replaced  by  the  former  one.  This  rule 
is  essential  for  classical  and  intuitionistic  proof  systems. 

For  contraction  we  want  to  prove,  that  whenever  I>  is  a  derivation  of  Fi,?/  €  H,T2,V  G 
H,  Fs  hs  P  G  G  we  can  find  a  derivation  for  Fi,  U  £  H,  F2,  [U/V]{T3)  hs  [U/V]{P)  G  [U/V]{G). 
When  looking  at  the  rule  set,  we  see  that  the  typing  rules  for  programs  refer  to  the  judgment 
for  well-formed  contexts.  Furthermore,  the  typing  rules  for  well-formed  contexts  refer  to  the 
judgment  F  hs  D  data.  The  contraction  lemma  can  only  be  proven  by  a  complicated  mutual 
inductive  argument. 

If  we  would  work  in  a  system  with  rule  (3.5),  the  proof  of  the  next  theorem  would  be  less 
complex,  but  even  with  the  rule  (3.4),  the  result  is  fairly  easy  to  show.  We  prove  the  contraction 
theorem  by  mutual  induction  very  similar  to  the  proof  of  lemma  4.15. 

Lemma  4.17  (Contraction:)  Let  D,D'  be  data  formulae,  K  a  kind,  Ap  an  atomic  type,  Aq 
a  goal  type.  Ad  a  data  type,  M  an  object  and  P  a  program.  Then  the  following  holds:  For  all 
meta  contexts  Fi,F2,  F3,  and  for  all  object  context  A:  Let  F  =  Fi,  f/  G  P',F2,  F  G  P'jFs,  and 
F'  =  Fi,l7  G  P',  F2,  [I7/F](F3)  and  let  AJ  —  \U /V]{/S)  anda  —  \U/V].  Then  we  have: 


F;  A  hs  Ff  kind  ^  F^;  A'  f-£  [a](/F)  kind  (4.1) 

F;AhsAp:K  V ■  A' [a]{Ap)  :  [a]{K)  (4.2) 

r-,A\-^  Ag:K  =>  P-,A'\-j^[a]{AD):[a]{K)  (4.3) 

F;  A  h-s  Ac  :  K  ^  F';  A'  [a]  (Ag)  :  [a]  {K)  (4.4) 

F;Af-sM:Ap  F';  A' hs  [(r](M)  :  H(Ap)  (4.5) 

F;A1-£M:Ac  F';  A' M(M)  :  H(Ac)  (4.6) 

F;  A  1-2  M  :  Ag  ■  F';  A'  hs  [a](M)  :  ^(Ag)  (4.7) 

F  1-2  P  data  =J>  F'  f-2  ^(P)  data  (4.8) 

FI-2PGG  r'>2  M(F)  e  [cr](G)  (4.9) 

|-2  F  ctx  ^  1-2  F^  ctx  (4 AO) 

Proof:  by  mutual  induction.  The  detailed  proof  can  be  found  in  appendix  C.  □ 


This  lemma  brings  us  directly  the  desired  result: 

Theorem  4.18  (Admissibility  of  Contraction)  ;  If 

Fi,PgP',F2,FgP',F3I-2PgG 

then 

Fi,  [/  G  P',  F2,  M(F3)  1-2  H(P)  G  M(G) 

with  a  =  \U/V].  J7F3  is  pure,  P  is  pure  and  G  is  pure,  then  [<t](F3),  [<t](P),  [cf\{G)  are  pure. 

Proof:  The  first  result  is  a  restatement  of  (4.9),  the  second  follows  directly,  because  a  is  strictly 
pure.  □ 
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4.2.2  Substitution  lemma 

The  next  lemma  we  introduce  is  the  substitution  lemma.  It  is  not  a  logical  rule  like  weakening 
and  contraction,  but  it  represents  in  a  way  the  connection  between  LF  and  the  meta  logic. 

Assume  we  have  a  derivation  ofTlsPeG.  This  can  be  interpreted  from  a  programming 
point  of  view,  as:  When  all  variables  in  F  are  instantiated  with  some  programs,  P  will  compute 
a  proof  term  of  G.  It  could  be  that  we  have  a  declaration  of  the  form  X  £  A  in  the  context 
r.  Under  the  interpretation  this  reads,  for  a  given  LF  constant  c  :  A,  we  can  plug  c  into  the 
variable  positions  in  P.  The  evaluation  of  P  will  provide  a  proof  object  of  G. 

In  the  next  section  we  are  concerned  with  local  reductions.  One  local  reduction  which  might 
occur  is  exactly  of  this  form:  Assume  we  are  given  an  object  c  :  A,  and  a  derivation  of  Fi,  A  € 
A,T2  \-£  P  €  G,  then  we  would  expect  the  existence  of  a  derivation  Fi,[(r](F2)  hs  [<t](P)  € 
[o‘](G)  where  (t  =  [c/A]. 

The  substitution  lemma  shows,  that  this  holds.  We  can  assume,  that  A  are  closed  with 
respect  to  object  and  meta  variables. 


Lemma  4.19  (Substitution  property:)  Let  D  be  data  formulae,  K  a  kind,  Ap  an  atomic 
type,  Aq  goal  type,  Ad,  A  data  types,  M  object  and  P  a  program.  For  c  :  A  Q  T:  the  following 
holds:  For  all  meta  contexts  Fi,F2,  and  for  all  object  context  A;  Let  F  =  Ti,Z  G  A,  F2,  and 
F'  =  Fi,  [c/2](F2)  and  let  A'  =  [c/Z](A)  and  a  =  [c/Z].  Then  we  have: 


F;  A  hg  K  kind 
F;  A  hs  Ap  :  K 
F;AhsAG:A  ^ 
F;  A  l-s  Ad  :  K 
F;  A  hs  M  :  Ap 
F;  A  hs  M  :  Aq 
F;  A  hs  M  :  Ad  =>• 
F  hs  data  =:> 
FhsFeG 
hs  F  ctx  =>• 

Proof:  by  mutual  induction.  The  detailed 


F';  A'  hs  M(A)  kind 

(4.11) 

F';A'l-EM(Ap):[a](A) 

(4.12) 

F';A'hsM(AG):M(A) 

(4.13) 

F';A'hsM(Ac):M(A) 

(4.14) 

F';A'1-eH(M):M(Ap) 

(4.15) 

F';A'  1-E  [a](M)  :  [c7](Ag) 

(4.16) 

F';A'  Fs  M(M)  :  [cr](Ap) 

(4.17) 

M  {D)  data 

(4.18) 

r'  i-E  H(F)  €  M(G) 

(4.19) 

Fe  F^  ctx 

(4.20) 

oof  can  be  found  in  appendix  C. 

□ 

A  reformulation  of  this  lemma  gives  us  the  desired  substitution  lemma. 

Theorem  4.20  (Admissibility  of  Substitution)  ;  ^  Fi,  Z  G  A,  F2  Hs  F  G  G,  and  c  :  A  G 
S,  then 

ri,M(F2)hs[a](F)G[(T](G) 

with  a  =  [c/Z],  If  r2  is  pure,  P  is  pure  and  G  is  pure,  then  [cr](r2),  [o']{P)^  M(G)  are  pure. 

Proof:  The  first  result  is  a  restatement  of  (4.19),  the  second  follows  directly,  because  a  is  strictly 
pure.  □ 
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4.2.3  Local  reductions  of  MLF 

In  this  section  we  show  local  reductions  for  MLF.  The  problem  of  local  reduction  can  be  cir¬ 
cumscribed  as  follows:  Assume  there  there  are  two  derivations: 

Pi  V2 

Ti  l-s  Fi  €  C  and  Fa  P2  e  G 

The  derivation  Pi  constructs  a  proof  term  Pi,  and  the  derivation  P2  “wants”  to  consume  Pi. 
There  are  different  ways,  of  how  this  consumption  may  take  place:  One  possibility  is  to  cut  Pi 
with  P2.  To  do  so,  r2  must  be  equal  to  Fi,  A  G  O',  F^.  We  write 

^  T>2 

TiI-ePiGC  ^  Fi,AGC,F'2hsP2GG 

to  describe  this  cut  operation. 

But  the  cut  operation  is  not  the  only  rule,  which  has  this  consumption  property:  Another 
rule  is  the  case  rule.  The  rule  is  restricted  to  C  being  an  embedded  type  Aq^  On  the  other  side, 
there  is  not  only  one  derivation  V2  but  many  —  one  derivation  for  every  form  of  the  outermost 
constructor  of  P, 

The  aim  of  a  local  reduction  theorem  is  to  show  that  derivations  can  be  locally  reduced.  The 
cut  rule  and  the  case  rule  must  be  displacable  from  their  positions,  but  a  derivation  with  the 
same  conclusion  can  still  be  found. 

In  this  work  we  present  a  local  reduction  theorem  only  for  the  cut  case.  It  seems  quite 
possible,  that  the  theorem  can  be  extended  to  the  case  case  —  but  such  an  examination  would 
be  beyond  the  scope  of  this  thesis. 

We  can  put  the  proof  term  Pi  into  the  center  of  our  consideration.  In  our  proof  of  local 
reduction,  we  examine  the  different  forms  a  program  Pi  can  take.  Since  we  decided  to  omit 
case,  we  have  to  exclude  embedded  LF  objects  as  possible  proof  terms  Pi.  The  argument  for  all 
other  forms  is  very  close  to  the  essential  cases  in  the  cut  theorem  in  [Pfe94c,  Pfe94b].  Here  is 
the  theorem: 

Theorem  4.21  (Local  reductions  in  MLF:)  IfV  ::  Pi  h  P'  G  C,  P'  ^  M  and  S  ::  Vi^Z  G 
C,  r2  P  P  G  G  then  there  is  a  derivation  P,  sX  P  ::  Pi,  cr(r2)  P  ^{P)  ^  with  a  =  [P'/Z]. 


Proof:  The  detailed  proof  can  be  found  in  appendix  C, 


□ 


Chapter  5 


The  example  revisited 


In  section  2.1  we  introduced  a  toy  programming  language  T  and  its  natural  and  operational 
semantics.  We  described  its  representation  in  Elf  and  Coq.  We  showed  the  equivalence  of 
both  semantical  notions  in  the  equivalence  theorem  2.2.  When  using  Coq  as  a  representation 
mechanism  we  took  advantage  of  its  inductive  reasoning  component.  We  proved  the  append 
lemma  2.7,  the  subcomputation  lemma  2.1  and  the  equivalence  theorem  2.2  using  the  Coq  proof 
engine.  The  representation  of  T  and  both  semantical  notions  in  LF  and  Elf  was  straightforward. 
In  this  chapter  we  discuss  how  MLF  can  be  used  to  prove  the  append  lemma,  the  subcomputation 
lemma  and  the  equivalence  theorem. 

5.1  Append  Lemma 

We  have  seen  in  the  definition  of  a  multi  step  relation  the  the  concatenation  of  a  single  step 
transition  and  a  multi  step  transition  results  in  a  multi  step  transition.  We  have  also  seen  in  the 
proof  of  the  subcomputation  lemma  2.1,  that  a  more  sophisticated  concept  of  concatenation  is 
required:  It  is  not  enough  to  extend  a  trace  by  one  single  step  transition  up  front.  It  has  to  be 
shown,  that  two  traces  can  be  concatenated  to  a  new  longer  trace  as  long  as  the  final  state  of 
the  first  coincides  with  the  start  state  of  the  second.  This  property  is  represented  by  the  lemma 
append: 

Lemma  2.7  (append)  For  every  two  traces  T  :  S  ^  S'  and  T'  :  5'  A  S"  there  exists  a  trace 
R:S^  S". 

The  objective  of  this  section  is  to  present  a  derivation  of  the  append  lemma  in  MLF.  To 
do  so,  we  transform  the  lemma  into  a  sequent  in  MLF:  We  start  with  an  empty  context.  The 
formula  can  be  represented  as  a  MLF  goal  formula: 

ys  :  state.  V5' :  state.  V5"  :  state.  :  S  SL.  ^T' :  Si  ^  SH..  S^SH 


We  obtain  the  following  sequent: 
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We  will  now  give  a  derivation  for  this  sequent  in  MLF:  We  apply  the  MLF  typing  rules  in 
a  bottom  to  top  fashion.  We  will  not  construct  the  proof  terms  explicitly.  The  proof  terms  are 
getting  rather  big,  because  we  will  very  often  apply  the  LV  rule.  Therefore  instead  of  writing 
the  proof  terms,  we  use  Vq,Vi....  as  a  variable  notation  for  omitted  proof  terms. 

Proof:  We  will  now  begin  with  the  presentation  of  the  proof  in  MLF:  The  first  thing  to  do,  is 
to  provide  the  induction  hypothesis.  This  is  done  by  using  the  rec  rule.  We  will  omit  the  proof, 
that  F  Vq.  It  will  become  clear,  that  there  is  a  suitable  termination  ordering.  The  proof  is 
done  by  structural  induction. 


F  -.state.^S' :siate.\JS" -.state.^T -.S^  SL.MT' ■.  SL^  S!!_.  S!L 
Fs  Po  €  V5  :  state.  MS' :  state.  V5"  :  state.  VT  :  S!_.W' :  SH.  SH. 

The  contexts  will  contain  many  variable  declarations.  Instead  of  listing  them  all,  we  abbre¬ 
viate  the  contexts,  by  omitting  the  corresponding  data  formulae  for  all  those  variable  which  do 
not  participated  in  a  rule  application.  Because  of  the  form  of  the  goal  formula,  we  can  can  now 
apply  the  rule  RV  four  times  and  obtain: 

F,Se  state.  S'  G  state,  S"  €  state,  T  £  S  ^  S' 

He  Pi  G  VT' 

In  the  informal  proof  we  showed  the  append  lemma  by  induction  over  the  first  derivation. 
Consequently,  the  next  rule  to  apply  is  the  case  rule  and  not  the  RV  rule.  The  application  of 
the  case  rule  is  triggered  by  the  axiom  derivation 

F,S,  S\S",T  eS^Sj 

■  hs  Tg54>^ 

We  now  construct  the  set  IndsirCT)  {S_^  SO)-  If  two  elements: 

{{D  £  state), 

{D/S,D/S'Mm)  _ _ 

{{D  G  state, D'  G  state, D"  G  state, E  £  E'  £  D!_^  D"']. 

{D"/S,  D/S',  ~  D  D>  D'"  E~^m) 

We  abbreviate  both  entries  of  IndE,r(T)  (5  ^))  for  now  by  and 

For  a  successful  application  of  the  case  statement  we  have  to  prove  two  judgments.  The  first 
results  from  extending  the  current  context  by  A(^),  and  applying  the  substitution  to  the 
current  context  and  the  current  goal  formula.  Similarly,  the  second  results  from  using  0(^1) 
instead  of  (A(^),  0(^1). 

Case:  (A^^I,  0(^1):  The  current  sequent  has  the  following  form 
D  £  state,  F,  S" 

Hs  V2e^T' -.D^SO-D^SO 
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One  application  of  RV  yields: 


D,F,s'',r  eP^sa 

l-E  T'-.D^S!L 

The  first  proof  branch  is  closed  using  id  again,  it  corresponds  to  the  base  case  of  the 
induction. 

Case:  The  current  sequent  has  the  following  form: 


D  6  state,  D'  €  state,  D"  6  state,  E  E  D_=^  D^,  E'  £  D!_^  D", 

F,S"  _ 

l-s  Vz  £^T' :  D!L^  S!L.  S!L 

First  we  apply  RV:  On  the  right  side  of  the  sequent  symbol  remains  an  embedded  LF  type. 
The  objective  is  it  now,  to  use  the  context  and  the  signature  to  provide  a  proof  object  of 
this  type. 


D,  D\  D",  E,  E\  F,  5",  T' £  DU,  ^  SH. 

The  only  way  to  do  so,  is  to  apply  the  induction  hypothesis:  We  expect  a  proof  term  for  a 
trace,  which  ends  in  the  state  S".  The  induction  hypothesis  is  applied  to  five  parameters: 
D'  D"  S"  E'  T',  i.e.  five  applications  of  LV  yield: 


D,  D',  D",  E£D^D!,,E\  F,  S",  T',R^£D!_^  S!L 

\-^  V^£D^^ 

From  looking  at  this  rule,  it  is  obvious  that  E  and  have  to  be  concatenated.  Since  E 
is  a  single  step  transition,  it  is  enough  to  apply  rule  LIIS  with  constant  ~  and  parameter 
D.  We  obtain  the  an  assumption  Si  of  the  embedded  partially  instantiated  type  of  ~  : 


£>,  T)^  D'\  E£D=^DL,E\  F,  S",  r ,  Us  €  ^ _ 

Si  £  USt' :  state.  1151"  :  state.  D  =>  St^  St!_  St”  St” 

J-s  Ve£D^S!i 

Si  represents  an  embedded  function  type,  which  must  be  applied  to  four  more  parameters 
to  represent  an  embedded  objects.  To  do  so,  LII  has  to  be  applied  four  times  to  D'  5"  E  R5. 
We  neither  give  the  intermediate  steps  nor  the  intermediate  additional  assumptions:  The 
current  sequent  in  the  proof  is 
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D,  D',D",E,E',  F,  5",  T',  R^,  Si^S^eD^SH 
i-E  s^eD^sa. 


This  sequent  can  be  closed  using  the  axiom  rule  id. 


□ 


5.2  Subcomputation  Lemma 

We  address  now  the  proof  of  the  subcomputation  lemma  from  section  2.1.  The  subcomputation 
lemma  is  a  generalization  of  one  direction  of  the  equivalence  theorem.  Here  is  the  formulation 
of  the  lemma  —  this  time  directly  formulated  in  terms  of  LF  type  theory: 

Lemma  2.1  Let  K  be  an  environment,  E  he  an  expression  and  V  be  a  value.  If  D  is  an  object 
in  (feval  K  E  W)  then  for  all  H  environment  stack,  P  program  and  S  value  stack  we  can  find 
a  proof  term  E'  in 

St  {Hy,K)  (ev  EkP)  S  ^  st  H  P  {S]W) 

We  know,  that  we  will  apply  the  append  lemma  in  the  proof —  this  is  exactly  why  we  proved 
the  append  lemma  in  MLF.  Lemma  application  is  done  by  applying  a  cut.  For  the  proof,  we 
have  to  assume  that  we  have  the  lemma  handy.  We  will  therefore  prove  the  subcomputation 
lemma  under  the  assumption,  that  lemma  append  is  available.  This  is  done  by  declaring  the 
variable  Append  of  type 

V5  :  state.  V5' :  state.  V5"  :  state.  \fT:S^S!..W:S!_^S!!..  5 

and  putting  this  new  declaration  into  the  context.  The  representation  of  the  the  subcomputation 
lemma  as  a  sequent  in  MLF  is  as  follows: 

Append  e  V5  :  state.  MS' :  state.  MS"  :  state.  MT  :  S  ^  Sf.  MT'  :  Sf  SH..  S^SH 
Fs  VoeMK  :  env.  ME  :  exp.  MW  :  val.  MD  :fey&\KEW. _ 

MH  :  envstack.  MP  :  program.  MS  :  env.  st  {ILy,K)  (ev  ESiE)  S_  st  H_P_  (5':W’) 

Proof:  As  in  the  proof  of  the  append  lemma  we  provide  the  induction  hypothesis  as  a  first  step 
in  the  proof. 

Append, 

FeMK  :  env.  ME  :  exp.  MW  :  val.  MD  :  feval  KEW. _ 

MH  :  envstack.  MP  :  program.  MS  :  env.  st  {H:,',K)  (ev  Ek,F)  S_^  st  H_P_  («S;W) 

He  VieMK  :  env.  ME  :  exp.  MW  :  val.  MD  MevalKEW. _ 

MH  :  envstack.  MP  :  program.  MS  :  env.  st  {Hy,K)  (ev  EkP)  S^stHP  (5;I£) 

The  objective  is  now  to  decompose  the  goal  formula.  We  propose  to  apply  RV  four  times. 
The  variable  D  is  the  variable  we  want  to  perform  induction  over. 
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Append,  F,K£  env,  E  €  exp,  W  €  val,  D  €  feval  K  EW 
l-E  'P2  €  V/f  :  envstack.  VP  :  program.  V5  :  env.  st  {Ky,K)  (ev  EkP)  5  4^  st  P  P  (5:W^ 

Induction  is  performed  by  case  distinction  over  feval  K_KW.-  First  we  construct  the  set 
Ind£^r(-D)  feval  P  PPF):  it  contains  four  elements: 

{((Po  e  env,  Wo  €  val), 

{Ko/K,l/E,  Wo/W,evl^WyP)), 

((Po  e  env,  Eq  €  W,  €  val,  Wq  €  Dq  €  feval  Pp  Eg  Wp), 

{{K^,W£}/K, ^/E,  Wo/W,  (evt^^l^I^^)/P)), 

{{Kq  G  env,  Po  €  ej^), 

{Kq/ K,  lam  Eq/E,  do  ^  (lam  E^  jW,  evlam  Ep/D)), 

{{Ki  G  envP2  €  exp,  /VJ  G  env,  P2  €  exp,  P3  G  ei^,  W3  G  val,  Wi  G  val, 

Pi  G  feval  ^§2  (do  ^  (lam  ^)),  D2  G  feval 
P3  e  feval  (^;W^  ^Ei), 

(Po/P,  Wo/W, 

The  application  of  case  leads  now  to  four  new  judgements  defined  by  current  sequent  and 
each  entry  G  Inds,r(P) feval  K_E_  W).  We  address  the  derivation  of  each  of  those 

four  judgments: 

Case:  evl:  The  first  case  corresponds  to  the  base  case.  The  current  sequent  is  extended  by 

and  the  substitution  0^^)  is  applied  to  the  current  context  and  the  current  goal  formula: 

Kp  G  env,  Wp  G  val.  Append,  F 
Fe  P3  G  VP  :  envstack.  VP  :  program.  V5  :  env. 

St  (P;;P)  (ev  IfcP)  5  4>  st  P  P  (5;W^) 

The  goal  formula  can  be  further  decomposed  by  applying  RV  three  times: 


Kp,  Wo,  Append,  F,He  envstack,  P  G  program,  S  G  env 
Fs  P4  e  St  (P;;(^;I^)  (ev  l&P)  5  4>  st  P  P  (&I^) 

For  this  goal  we  can  find  a  constant  in  the  signature,  which  yields  an  instance  of  the  desired 
type:  c_l  P  Kp  Wp  P  S.  To  obtain  the  proof  object,  we  have  to  apply  LIIS  once  —  the 
parameter  is  P,  and  four  times  LIl. 


Kp,  Wo,  Append,  F,  H  G  envstack,  P  G  program,  S  G  env, 
P5  e  (ev  IfcP)  S  4>  st  P  P  (5;jj^) 

Fs  P5  €  St  (P;;(^® )  (ev  l&P)  5  4>  st  P  P  (5;]^ 


Finally  we  can  close  this  branch  with  id:  The  first  base  case  is  proven. 
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Case:  evf:  The  next  judgment  is  the  result  of  applying  the  second  element  of 
Indy:  rf-D.  feval  K  E  W)  to  the  current  sequent.  We  obtain  the  sequent: 


Kq  e  env,  Eq  e  exp,  Wq  G  val,  Wq  G  val,  Dq  G  feval  ^  ^  Append,  F 
l~E  ■Ps  G  Vi?  :  envstack.  VP  :  program. 

V5  :  env.  st  (ev  (^t)&£)  S^stHP  (5® 


As  in  the  last  case,  the  goal  formula  is  decomposed  by  three  times  applying  RV,  we  obtain 


Ko,  Eq,  Wq,  Wq,  Do,  Append,  F, 

H  G  envstack,  P  G  program,  S  G  env 

l-s  Pe  €  St  (ev  (^t)&P)  S  st  HP{&;W^ 


Examining  this  sequent  we  see,  that  the  induction  hypothesis  F  can  be  applied  to  Do  to 
obtain  a  trace  which  ends  in  the  desired  state.  To  apply  the  induction  hypothesis,  we  have 
to  instantiate  all  universal  quantifiers  of  F  with  a  list  of  parameters:  Kq  Eo  Wo  Do  H  P  S: 
After  seven  applications  of  LV  we  obtain 


Kq,  Eq,  Wq,  Wq,  Dq,  Append,  F,  H,  P,  S _ 

Ri  e  St  (P;;^  (ev  EpkP)  5  4>  st  P  P  (&Wo) 
l-s  Pt  €  St  (P;;(^;^))  (ev  {m)kF)  5  st  P  P  (5;T^ 


By  using  LIIS  to  access  c_  f  with  the  argument  H  and  by  applying  LII  with  the  newly 
generated  function  five  times  to  the  parameters  Ko  Wq  Eo  P  S  we  obtain  a  proof  term  Se 
of  a  trace,  which  starts  in  the  same  state  as  the  embedded  goal  formula,  and  ends  in  the 
state  where  Rr  starts. 


Ko,Eo,Wo,Wo,Do,  Append,  F,  H,  P,  S _ 

Rr  e  St  (P;;^  (ev  ^&P)  si  HP  (5;t^) 

^6  €  st  (P;;(:^;W^))  (ev  (^t)fcP)  S^st  (P;;^)  (ev  ^fcP)  S 
l-E  Ps  e  st  (P;;(^;]^))  (ev  (^t)&P)  5  st  P  P  (5® 


All  what  remains  to  do  is  to  concatenate  both  traces,  witnessed  by  Sq  and  Rr  to  obtain 
the  desired  trace.  We  do  this,  by  constructing  a  new  trace  using  the  trace  construc¬ 
tor  ~  .  This  is  done  by  using  LIIS  once  and  LII  four  times  with  a  list  of  parameters: 
st  (P;;(^;l^))  (ev  {m)kP)  S,si  {Hy,^  (ev  ^&P)  5,  st  P  P  (5;]^) ,  Se,  P7:  We  do 
not  show  how  the  composite  objects  are  proven  type  correct.  Here  is  the  final  sequent: 
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Ko,  Eo,  Wo,  Wo,  Do,  Append,  F,  H,  P,  S, 

Rti  Se _ _ 

n  €  St  (g;;(^;W^))  (ev  (^t)fe£)  5  st  g  F 
l-E  Ts  G  St  {Hy,{^^))  (ev  (^t)&£)  S^stHP  (5;;^ 

which  can  be  closed  using  id.  This  proof  branch  is  closed  and  we  can  address  the  next 
case. 

Case:  evlam:  This  case  addresses  the  treatment  of  A-abstraction.  The  sequent  is  obtained, 
by  using  the  original  sequent  and  applying  This  proof  branch  is  therefore 

initialized  by  the  following  sequent. 

Ko  €  Mv,  Eq  €  exp,  Append,  F 
l“E  /Pq  ^  Viy  :  envstack.  VP  :  program.  V5  :  env. 

st  (P;;^)  (ev  (lam  ^&P)  S^stHP  (5;(clo  ^  (lam  ^)) 

As  in  the  last  three  cases.  We  apply  the  rule  RV  three  times  and  obtain  the  sequent: 


Ko,  Eo,  Append,  F,H£  envstack,  P  G  program,  S  G  env 
l-E  Pio  e  St  (P;;^  (ev  (lam  ^)&P)  S^stHP  (S;(clo  ^  (lam  ^)) 

By  providing  the  correct  parameters  to  cJam  —  H  Kq  Eo  P  S  we  obtain  after  one  LIIS 
and  four  LII  rule  applications  the  sequent: 

Ko,  Eo,  Append,  F,  H,  P,  S, 

Rb  €  St  (&;^  (ev(lam  ^kP)  S=>stHP  (S;(clo  ^(lam  ^))) 
l-E  Ps  e  st  (F;;^  (ev  (lam  ^kP)  S^stHP  {S;{c\o  ^  (lam  ^)) 

which  can  be  closed  by  id.  The  third  case  is  proven. 

Case:  evapp:  The  proof  for  the  last  case  is  the  most  complicated  one.  Three  applications  of 
the  induction  hypothesis  and  two  applications  of  the  append  lemma  are  necessary  to  prove 
this  branch.  As  usual,  we  obtain  the  initial  sequent  from  the  current  one  after  applying 
(AW,  0(^))  to  the  current  sequent: 

Ki  G  env,  E2  G  K[  G  eSv,  E2  G  exp,  P3  G  exp,  W3  G  val,  Wi  G  val, 

Di  G  feval  ^  ^  (do  ^  (lam  ^)), 

D2  G  feval  ^  ^  W3, 

T>3  G  feval  (^® 

Append,  F 

l“E  Pii  £  VF  :  envstack.  VP  :  program.  V5  :  env. 

st  (F;;^  (ev  (app  ^ ^kP)  5  st  F  P  (&Wi) 
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To  get  rid  of  the  forall  quantifiers  in  the  goal  formula,  we  have  to  apply  the  RV  rule  three 
times. 

Ki,  E2,K[,E2,  Es,  W3,  Wi,  Di,  D2,  D3,  Append,  F 

H  G  envstack,  P  G  program,  S  G  env 

f-s.  G  St  (H;;^  (ev  (app  ^  ^kP)  S^stHP  (5® 

This  time,  we  go  through  the  proof  in  a  very  forward  directed  way:  We  first  try  to  generate 
a  transition  from  the  start  state  of  the  embedded  goal  type  to  some  other  state.  The  only 
way  to  do  so  is  to  use  c_app.  Since  this  is  a  constant  defined  in  the  signature,  LITE  is 
applied  with  the  parameter  H,  to  move  it  into  the  context.  Then  LII  is  applied  five  times 
with  five  more  parameters  Ki  E2  E3  P  S.  We  obtain 

Ki,  E2,  K[,E2,  E3,  W3,  Wi,  Di,  D21 D3,  Append,  F,  H,  P,  S 

Ue  G  st(g;;^)  (ev(app^^)fcF)5 

st  iHj,;Ki;;Ki)  (ev  ^&ev  FsfeapplyfcF)  S_ 
l-E  V12  €  St  (F;;^  (ev  (app  ^  ^kP)  S^stHP  (5® 

Next,  we  try  to  go  from  the  final  state  of  Ue  to  some  other  state.  Obviously,  we  have 
to  construct  a  trace  which  starts  in  the  final  state  of  Ue-  It  is  easy  to  see,  that  this 
trace  is  provided  by  applying  the  induction  hypothesis  to  Di,  since  this  is  the  only 
proposition  in  which  E2  occurs.  The  application  of  LV  seven  times  with  the  parameters: 
Ki,  E2,  do  K[  (lam  E2),  ev  FafcapplyfeF, S  yields  a  proof  term  of  the  desired 

type:  Rr- 


Ki,  E2,  K[,E2,  E3,  W3,  Wi,  Di,  D2,  D3,  Append,  F,  H,  P,  S 

Ue  G  St  (g;;^)  (ev(app  ^g3)fc£)  S _ 

=>  st  (ev  ^&ev  FsfcapplyfcP)  5 

R7  G  st  (H_;;Ki-,;Ki)  (ev  ^&ev  FafcapplyfcP)  5 

st  {H  (ev  ^fcapplyfcP)  (5;(clo  ^  (lam  ^))) 
l-E  Vi3  G  st  (P;;^  (ev  (app  ^  ^)&P)  5  4  st  P  P  (5® 

Now  we  are  in  the  situation  where  we  have  a  single  step  transition  Ue  and  a  multi  step 
transition  P7  which  should  be  concatenated.  This  is  done  by  the  multi  step  transition 
constructor  ~  .  To  apply  ~  G  S  we  have  to  apply  LIIE  once  and  LII  three  times  with  four 
parameters 

1.  st  (g;;^  (ev(app  ^ ^fcP)  5 

2.  st  (ev  PsfcapplyfcP)  5 

3.  st  (P  ;',Ki)  (ev  Ps&apply&P)  (5;(clo  K[  (lam  P2))) 

4.  Pi  ~ 

The  result  of  this  application  is  the  following  sequent.  Note  that  S4  stands  for  the  newly 
constructed  trace. 
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A'l,  E2,  Ki,E!2,  Ez,  Ws,  Wi,Di,  D2,  D3,  Append,  F,  H,  P,  S,  Ue,  R7 
Sj  e  St  (g;;^)  (ev(app  ^  g3)fe£)  S _ 

st  {H_  ;]Ki)  (ev  E'afcapplyfcP)  (5;(clo  K[  (lam  £'2))) 

1-E  Pu  €  St  (£;;^  (ev  (app  ^^kP)  S^st  HP  (5;l^ 

The  next  step  is  to  construct  a  trace  starting  in  the  final  state  of  ^4  and  lead¬ 
ing  to  some  other  state.  This  time  the  induction  hypothesis  has  to  be  applied  to 
D2:  This  is  done  by  applying  LV  rule  seven  times  with  the  following  parameters: 
Ki,  £3,  W3,  £>2)  H,  apply&P,  5;(clo  K[  (lam  £2)).  The  result  is  the  sequent 

£1,  £2,  ,  £^,  £3,  W3,  WuDi,  £2,  £3,  Append,  F,  H,  P,  S,  Ue,  R7 

S4  €  St  (g;;^)  (ev(app  ^  ^)kP)  S  _ _ 

4"  st  {H_  ;;Ki)  (ev  ^feapply&P)  (<S;(clo  K[  (lam  £2))) 

V7  G  st  (£;;£jJ  (ev  ^feapply&P)  (5; (do  K[  (lam  £2))) 

st  £  (apply feP)  (5;  (do  (lam  £2));W3) 

1-E  Pi5  G  st  (£;;^  (ev  (app  ^  ^kP)  5  4^  st  £  P  (5;Wi3 

We  observe,  that  there  are  now  two  multi  step  transitions,  ^4  and  V7.  We  cannot  used 
to  construct  a  concatenation  trace:  54  is  not  a  single  step  transition.  We  have  to  use  the 
lemma  Append.  The  rule  LV  has  to  be  applied  five  times  with  the  following  parameters: 

1.  st  (£;;^  (ev(app^^fcP75, _ 

2.  st  (£;;£i)  (ev  ^&apply&P)  (5;(clo  K[  (lam  £2))), 

3.  st  £  (apply&P)  (5;(clo  £(  (lam  £^));W3), 

4.  S4,  ~  ~ 

5.  V7 

we  obtain  the  new  sequent  with  the  newly  concatenated  trace  as  W^: 

£1,  £2,  K[,  £',  £3,  W3,  Wi,  Du  D2,  £3,  Append,  F,  H,  P,  S,  Ue,  R7,  S4,  V7 

Ws  e  st  (£;;^)  (ev(app^  £3)&P)  5 _ 

4^  st  £  (apply&P)  (5;(clo  £(  (lam  £2));]^) 
l-E  Vie  e  st  (ev  (app  ^  ^&P)  5  4  st  £  P  (5® 

As  above,  we  try  to  construct  now  some  trace  starting  in  the  final  state  of  W5  leading  to 
some  other  state.  We  have  to  use  the  constant  c_apply  G  S.  To  apply  the  rule,  we  have 
to  apply  LIIE  once  and  LII  six  times  with  the  parameters  H  P  S  K[  E'^  W5.  The  newly 
generated  trace  is  called  Xe 
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Ki,  ^2,  K[,  E'2,  E3,  Wi,  Di,  £>2,  ^3,  Append,  F,  H,  P,  S,  Ue,  Rj,  S4,  V7 
W5  e  St  (g;;^)  (ev(app  ^  ^)kP)  S _ 

4-  st  ^  (apply &£)  (&(clo  K[  (lam  £’2));]^^) 

Xe  est  H_  (apply &P)  (5;clo  £j[(lam  £^);W3) 

=»  St  (£;;(^;W3))  (ev^fcPyT _ 

l-E  £17  €  St  (£;;^  (ev  (app  ^  ^&P)  5  4^  st  P  £ 

In  this  situation  it  is  tempting  to  try  to  connect  W5  and  Xq  to  a  trace,  and  then  try 
to  close  the  gap  between  the  final  state  of  Xq  and  the  final  state  of  the  trace  described 
by  the  embedded  goal  formula.  It  turns  out  that  this  is  not  the  best  way  to  go.  The 
reason  is,  that  we  can  connect  a  one  step  transition  with  a  multi  step  transition  because 
of  the  constructor  ~  ,  but  it  is  difficult  to  connect  a  multi  step  transition  with  a  single  step 
transition.  Lemma  Append  guarantees  that  we  can  concatenate  two  multi  step  transitions, 
but  at  this  point  of  our  consideration,  we  would  have  to  invest  more  reasoning  to  derive  a 
similar  lemma  for  single  step  and  multi  step  traces.  We  will  not  do  this.  Instead  we  will 
try  to  construct  a  trace  starting  at  the  final  state  of  Xe  and  leading  to  the  desired  final 
state.  If  it  turns  out,  that  this  trace  is  only  a  single  step  transition,  we  have  to  prove  the 
lemma.  But  fortunately,  it  will  turn  out  to  be  a  multi  step  trace.  Then,  we  can  apply 
lemma  Append  again. 

To  bridge  the  gap  between  the  final  state  of  Xq  and  the  desired  final  state,  we  have  to 
apply  the  induction  hypothesis  again.  We  make  the  observation  that  D3  states  something 
about  the  evaluation  of  £3-  To  apply  the  induction  hypothesis  F  we  have  to  use  the  rule 
LV  seven  times  with  the  parameters  (£( ;t^,  £2,  Wi,  £3,  £,  £,  5.  We  obtain: 

£1,  £2,  Ki,  £',  £3,  W3,  Wi,  Di,  £2,  £3,  Append,  F,  H,  P,  S,  Ue,  R7,  S4,  V7, 

W5  e  St  (£;;£i)  (ev(app^£3)fc£)  S _ 

4>  St  £  (apply fc£)  (5;  (do  £[  (lam  ^));W3) 

Xe  Gst  H_  (apply &£)  (5;clo  £J(lam  £2);]^) 

=;>  St  (£;;(^;I^))  (ev^&P)  Y 
Y7  e  St  (£;;(^;jj^))  (ev  ^kP)  S 

4>st££(5;Wi) _ 

l-E  £i8est(£;;£i)  (ev(app^^&£)5  4^st££(5® 

All  what  remains  to  do  is  to  concatenate  Xq  and  Y7  with  the  constructor  ~  6  S.  The 
resulting  trace  is  a  multi  step  transition  and  has  to  be  connected  to  W5.  To  concatenate 
Xe  and  Y7  we  apply  LIE  once  and  LII  four  times,  with  the  the  following  list  of  parameters: 

1.  St  H  (apply fc£)  (5;clo  ^(lam  £^);W3) 

2.  St  (£:;;(^;^)  (ev  ^kP)  S 

3.  st££(5® 

4.  Xe 

5.  Y7 


5.2.  SUBCOMPUTATION  LEMMA 


99 


The  result  is  the  following  sequent:  Z5  is  the  new  trace.  This  trace  has  to  be  appended  to 
VF5: 

Ki,  E2,  K[,  £'2,  E3,  W3,  Wi,Di,  D2,  Dz,  Append,  F,  H,  P,  S,  Ue,  R7,  S4,  V7, 

W5  €  St  (&;^)  (ev(app  Fa  ^)fcF)  S _ 

^  St  H  (apply&P)  (5;  (do  ^  (lam 

Xe.Tr-  _ _ 

.^5  G  st  H  (apply &;F)  (F;clo  F((lam  E!,);W3) 

4>stgF(5;i^ _ 

1-s  Vi9  e  St  (ff  (ev  (app  ^  ^)&F)  S^stHP  (5® 

The  final  step  in  this  proof  is  to  concatenate  W5  and  Z5:  We  do  this  by  using  lemma 
Append  as  above,  this  time  with  the  parameters: 

1.  St  (ff  (ev(app  ^^&F)  5 

2.  St  H  (apply&F)  (5;clo  ^(lam 

3.  stffF  (5;WiT 

4.  W5 

5.  Z5 

the  final  sequent  has  the  following  form: 

Ki,  E2,  K[,  F',  F3,  W3,  Wi,  Di,  F2,  T>3,  Append,  F,  H,  P,  S,  Ue, 

R7,  S4,V7,W5,X7,  Y7,Z5, _ 

As  6  St  (g;;^  (ev(app  5  4>  st  F  (5;Wi) 

hE  Ae  e  St  {Hy,Ki)  (ev  (app  Fj  E3)tP)  S  ^  st  H  P  (5;Wi) 

Obviously,  A5  is  of  the  desired  embedded  goal  type,  id  closes  this  branch  and  completes 
the  proof  the  the  subcomputation  lemma. 

We  proved  the  subcomputation  lemma  under  the  assumption  that  we  have  a  lemma  accessi¬ 
ble,  which  guarantees  the  concatenation  of  to  traces:  the  lemma  append.  In  the  proof,  we  do  not 
refer  explicitly  to  the  proof  of  the  append  lemma  only  to  the  variable  Append,  which  is  present 
in  the  context:  The  proof  of  the  subcomputation  lemma  was  done  in  a  non-empty  context.  The 
objective  is  to  proof  the  subcomputation  lemma  —  without  any  further  assumptions.  To  do  so, 
we  have  to  bring  the  proofs  of  subcomputation  lemma  and  the  append  lemma  together.  This  is 
done  by  using  the  cut-rule.  In  section  5.1  we  have  seen,  that  it  is  possible  to  derive  a  proof  term 
P  of  the  append  lemma: 

hs  F  6  VF  :  state.  :  state.  V5"  :  state.  W  :  SL.W  :  SH.  5  ^ 


Because  of  the  subcomputation  lemma,  we  have  a  derivation  of  a  proof  term  Q: 
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Append  e  V5  :  state.  V5' :  state.  V5"  :  state.  W  :  Si.W  :  S!^.  ^ 

Q  €  'iK  :  env.  ME  :  exp.  MW  :  val.  MD  :  feval  K_  E  W- 

MH  :  envstack.  MP  :  program.  MS  :  env.  st  {Ky,K)  (ev  EkP)  S_  ^  st  H_P  (5;]y) 

The  cut  rule  is  applicable,  we  obtain  the  following  proof  object  for  the  subcomputation  lemma 
with  an  empty  context: 

[P/Append]{Q)  (5.1) 

□ 

This  concludes  the  presentation  of  the  subcomputation  lemma.  A  direct  consequence  from  this 
lemma  is  the  equivalence  theorem:  In  the  next  section  we  give  a  representation  of  this  lemma 
in  MLF: 


5.3  Equivalence  Theorem 

The  equivalence  theorem  states  the  equivalence  of  the  natural  and  the  operational  semantics 
of  our  language  T.  The  subcomputation  theorem  shows  one  direction  of  the  theorem.  In  this 
last  section  we  give  a  more  elegant  presentation  of  this  one  direction  in  MLF.  We  restate  the 
theorem  from  section  2.1. 

Theorem  2.2  (Equivalence  Theorem  (one  direction))  For  K  environment,  E  expression 
and  W  value:  If  (feval  K  E  W)  is  inhabited,  then  also  ((•;  K),  Ehdone,  ■)  (•,  done,  (•;  W)) 

Proof:  The  proof  of  this  theorem  follows  then  quite  easily:  We  know  that  the  theorem  is  a  direct 
consequence  of  the  subcomputation  theorem.  We  therefore  extend  the  context  F  by  the  assump¬ 
tion  that  a  subcomputation  lemma  is  available.  We  prove  the  theorem  under  this  assumption. 
Eventually,  we  cut  this  assumption  out,  using  the  original  proof  of  the  subcomputation  theorem. 
The  representation  of  the  equivalence  theorem  is  therefore: 

Subcomp  €  MK  :  env.  ME  :  exp.  MW  :  val.  MD  :  feval  A  E  W. 

MH  :  envstack.  MP  :  program.  MS  :  env.  st  {Hy,K)  (ev  EkP)  5  st  P  (g:W) 

Fe  Vo  €  MK  :  env.  ME  :  exp.  MW  :  val.  feval  K  EW 

st  (emptys;;/^)  (ev  E&done)  empty  4"  st  emptys  done  (empty; W) 

As  usual,  we  first  decompose  the  form  of  the  goal  formula  on  the  right.  Three  rule  RV  is  applied 
three  times,  the  result  is  the  following  sequent: 

Subcomp,  K  €  env,  E  €  exp,  W  €  val 

hs  Pi  e  feval  K  EW  ^ _ 

st  (emptys;  jiF)  (ev  E&done)  empty  4>  st  emptys  done  (empty;W) 

The  implication  in  the  goal  formula  can  be  resolved  using  the  rule  R  — the  resulting  sequent 
has  the  following  form: 
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Subcomp,  K,  E,W,D€  feval  K  EW _ 

1-E  7^2  €  st  (emptysiiK)  (ev  £^&;done)  empty  st  emptys  done  (empty;W) 

The  last  thing  to  do  is  to  apply  the  assumption  Subcomp.  This  corresponds  to  ap¬ 
plying  the  subcomputation  lemma.  Seven  application  of  the  LV  rule  with  the  parameters 
K,  E,  W,  emptys,  done,  empty,  D  yield  the  following  result: 

Subcomp,  K  €  env,  E  G  exp,  W  G  val,  D  G  feval  K  EW 

Ur  €  st  (emptys;;!^)  (ev  Ffcdone)  empty  st  emptys  done  (empty;W) 
hs  Ur  G  st  (emptys;;/^)  (ev  Ekdone)  empty  4>  st  emptys  done  (empty;iy) 

id  closes  the  branch.  Obviously,  everything  works  out  under  the  assumption  that  the  sub¬ 
computation  lemma  is  proven.  To  obtain  the  actual  proof,  we  have  to  cut  this  derivation  with 
the  deviation  of  the  subcomputation  lemma:  The  proof  term  of  the  subcomputation  lemma  has 
the  form:  [P/Append\{Q)  (equation  5.1).  Let  R  be  the  proof  term  of  the  equivalence  theorem: 

Subcomp  G  'iK  :  env.  :  exp.  'iW  :  val.  VD  :  feval  K_  E  W_. 

MH  :  envstack.  VP  :  program.  MS  :  env.  st  (ev  P&P)  5  4"  st  P  P  (S :iy) 

bs  P  €  MK  :  env.  ME  :  exp.  MW  :  val.  feval  K  EW  -¥ 

st  (emptys; IK)  (ev  P&done)  empty  4^  st  emptys  done  (empty;W) 

The  application  of  the  cut  rule  yields  the  following  proof  term  for  the  equivalence  theorem: 

^P/Append\{Q)/Subcom'i^{R)  (5.2) 

□ 


This  completes  the  presentation  of  the  language  T  and  some  of  its  meta  theoretical  results  in 
MLF. 
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Chapter  6 

Conclusion 


In  this  thesis,  we  presented  the  met  a  logic  MLF  for  the  Horn  fragment  of  LF.  LF  is  well-suited 
to  represent  deductive  systems.  In  section  2.1  we  introduced  as  an  example  a  toy  programming 
language  T.  T  and  the  notions  of  operational  and  natural  semantics  were  then  represented  in 
LF.  Note,  that  the  result  of  this  representation  remained  in  the  Horn  fragment  of  LF.  Therefore 
the  Horn  fragment  of  LF  is  already  powerful  enough  to  represent  non-trivial  problems. 

T  showed  also  a  further  property  of  LF:  Even  meta  theoretical  results  can  be  represented. 
The  representation  of  the  proof  of  the  equivalence  theorem  showed  how  induction  is  transformed 
into  LF  objects  and  LF  types.  The  implementation  in  Elf  demonstrated,  how  the  computational 
content  of  a  proof  can  be  accessed  and  used. 

Currently,  meta  theoretical  results  are  proven  with  pencil  and  paper.  The  proof  of  the 
subcomputation  lemma  2.1  represents  a  typical  meta  theoretical  proof.  MLF  is  designed  to 
support  this  proof  work.  The  inference  rule  system  of  MLF  is  based  on  the  sequent  calculus 
for  intuitionistic  logic  equipped  with  rules,  to  incorporate  declarations  from  LF  signatures  into 
the  proof  process.  In  addition,  it  offers  a  general  recursion  rule  which  can  be  used  to  provide 
induction  hypothesis  and  a  case  distinction  rule.  The  case  distinction  rule  is  used  in  the  proof  for 
the  subcomputation  lemma.  MLF  also  contains  a  cut  rule:  the  cut  rule  allows  the  combination 
of  already  proven  results.  We  showed  in  the  example  that  if  an  external  lemma  is  needed  for 
the  proof  of  a  theorem,  the  proof  proceeds  in  three  steps.  First,  the  external  lemma  is  proven. 
Second,  the  theorem  must  be  derived  under  the  additional  assumption  that  the  external  lemma 
holds.  Third,  both  derivations  are  combined  with  the  cut  rule. 

The  purpose  of  MLF  is  it  to  keep  a  strict  distinction  between  meta  level  and  LF  level.  This 
is  important,  because  MLF  should  be  only  an  auxiliary  device  to  reason  about  LF,  but  when 
the  result  is  found,  the  objective  is  to  transform  everything  back  onto  the  LF  level.  The  purity 
results  guarantee,  that  there  is  a  well-defined  interface  between  MLF  and  LF. 

It  is  clear  —  from  a  logical  point  of  view  —  that  applications  of  the  cut  rule  are  unwanted. 
The  purity  result  for  example  holds  only  for  the  cut-free  case.  The  question  to  ask  is,  whether 
the  cut  rule  application  is  necessary  or  if  it  can  be  eliminated.  We  have  shown  the  local  reduction 
theorem  as  a  first  step  towards  a  general  cut-elimination  theorem. 

This  thesis  raises  also  a  lot  of  questions  for  future  research  work.  MLF  has  to  be  refined  and 
implemented,  and  its  theory  has  to  be  further  developed: 
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1.  Even  though  this  thesis  is  very  theoretical  in  its  content,  its  objective  is  of  practical 
nature;  to  develop  an  interactive  proof  assistant  component  for  Elf.  So  far  MLF  has  not 
been  implemented  yet.  It  is  planned  to  write  a  prototype  based  on  MLF  as  an  extension 
of  Elf. 

2.  From  a  theoretical  point  of  view,  the  development  of  MLF  is  not  yet  finished:  A  major 
topic  for  future  research  will  be  the  generalization  of  MLF  as  a  meta  logic  for  full  LF.  The 
inference  rule  system  for  MLF  is  very  strict  in  the  treatment  of  LF  function  types:  No 
Il-type  is  allowed  to  occur  in  the  right  hand  side  of  a  sequent.  But  this  is  too  restrictive. 
Consider  the  following  assumption:  A  G  Ha:  :  exp.exp.  It  is  worthwhile  to  examine  if  and 
how  MLF  could  be  generalized  so  that  the  following  axiom  application  is  allowed. 

- z=z= - -  id^ 

X  eUx  :  exp.exp  hs  A  G  Ilx  :  exp.exp 

A  very  closely  related  question  is,  how  higher  order  abstract  syntax  can  be  treated.  If 
MLF  is  extended  to  full  LF,  the  question  is  already  answered. 

3.  Another  very  important  research  issue  is  if  and  how  MLF  proofs  can  be  transformed  into 
type  families  on  the  LF  level.  We  proved  purity  results  as  a  first  step  in  this  direction. 
We  have  seen  in  the  example,  that  it  is  possible  to  represent  the  append  lemma  and  the 
subcomputation  lemma  in  LF.  The  problem  is  getting  much  more  complicated  if  higher 
order  abstract  syntax  is  involved. 

4.  Some  more  work  has  to  be  done  concerning  the  meta  theory  of  MLF.  It  would  be  very 
nice  to  have  a  cut/case-elimination  result.  We  believe,  to  obtain  such  a  result  much  more 
theoretical  work  is  necessary.  The  connection  between  MLF  and  LF  must  be  studied  in 
more  detail. 

5.  The  rule  system  of  MLF  contains  the  recursion  rule.  The  recursion  rule  is  defined  with 
a  side  condition  which  enforces  the  proof  term  to  be  total.  We  did  not  give  any  details 
about  this  side  condition.  For  a  correct  implementation  of  MLF,  this  judgement  has  to  be 
defined  appropriately. 

We  believe  that  MLF  is  a  first  promising  step  towards  a  meta  reasoning  component  for  LF. 

More  work  is  still  to  be  done. 


Appendix  A 

MLF  rules 


A.l  Language  of  MLF 


Formulae:  F 

Goal  formulae:  G 

Data  formulae:  D 

Core  formulae:  C 

Program  Patterns:  Q 
Programs:  P 


Kinds: 

K 

Types: 

A 

Atomic  types: 

Ap 

Goal  types: 

Ag 

Data  types: 

Ad 

Objects: 

M 

Pure  Objects: 

M 

Object  Patterns: 

N 

Meta-context: 

r 

Object-context: 

A 

Signature: 

S 

Object  variable  names:  x 
Meta  Variable  names:  X 

Object  constant  names:  c 
Type  constant  names:  a 

=  yx  :A.F\3X  :A.F\FiAF2\FiVF2\Fi^F2\1\A  _ 

=  yx  :  Ad.G  I  3V  :  Aq.G  |  Gi  A  Ga  |  Gi  V  G2  |  D  ^  G  |  1  |  ^ 
=  yX  :  Aq.D  I  3X  :  A^.D  |  Di  A  Pa  |  -Di  V  Da  |  G  ^  D  |  1  |  ^ 
=  yX  :  Ap.C  I  3X  :  Ap.C  |  Gi  A  Ga  |  Gi  V  Ga  |  Gi  ^  Ga  |  1  |  Ap 
=  (unit)  I  (pair  Xi  Xa)  \  (ini  X)  \  (inr  X)  |  (inx  Xi  X2)  \  N 
=  X  I  (unit)  I  (rec  X.P)  \  (fun  X.P)  \  (pair  Pi  Pa)  |  (ini  P)  _ 
I  (inr  P)  I  (inx  Pi  Pa)  |  (let  Pi  be  X  in  Pa)  |  (app  Pi  Pa)  |  M 
^  case  P  of  \ 

I  Q(i)  p(i) 

I  QW  p(")  J 

=  type  I  IIx  :  Aa-  K 
=  a  I  (AM)  lEr  :Ai.Aa 
=  a  I  (Ap  M) 

=  Ap 

=  Ap  I  Ha;  :  Aq.  Ap 
=  P  I  r  I  c  1  Ar  :  Ag.  M  I  (Ml  Ma) 

=  X  I  a;  I  c  1  At  :  Aq.  M  \  (Mi  Ma) 

=  c|(XX) 

=  -IP.xeP 
=  •  I  A,a; :  Ad 
=  •  I  2,  c  :  Ad  I  S,  a  :  X 
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A. 2  Judgements  for  MLF 


1. 

He  F  ctx 

2. 

F  He  G  goal 

F  He  F  data 

3. 

F  He  F  €  G 

4. 

F  He  A  objctx 

5. 

F;  A  He  X  kind 

6. 

F;  A  He  Ap  :  K 

F;  A  He  Aq  :  K 

F;AHe  An  :X 

7. 

F;AHe  M:  Ap 

F;AHeM:  Ag 

F;  A  He  M  :  An 

8. 

=  M2 

9. 

Api  =  Ap2 

■^Gl  =  A.Q2 

Am  =  An2 

10. 

III 

A. 2.1  Typing  rules  for  meta  context 
Judgment: 


hs  r  ctx 


Rules: 


hs  r  ctx  r  \-£  D  data 

- ctxem  p  — - ctxcons 

l-£  •  ctx  He  r,  A  e  D  ctx 


A. 2. 2  Typing  rules  for  goals 
Judgment: 


r  hs  G  goal 


Rules: 


f;  •  [-£  Ao  :  type  T,  X  €  An  hs  G  goal 

- goalforall 

r  hs  VX  :  An.G  goal 


r;  Aq:  type  T,  X  G  Ag  He  G  goal 

- goalexists 

r  He  3X  :  Ag.G  goal 


r  He  Gi  goal  F  He  G2  goal 

- goaland 

r  He  Gi  A  G2  goal 
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r  Gi  goal  r  hs  G2  goal 

- goalor 

rhE  Gi  VG2  goal 


r  He  -D  data  F  He  G  goal 

- goalimp 

r  He  C  ^  G  goal 

- goaltrue 

r  He  1  goal 


F;  •  He  K  kind  F;  •  He  Aq  •  K 

- - goaltype 

F  He  Aq  goal 


A,2,3  Typing  rules  for  data  formulae 
Judgment: 


F  He  data 


Rules: 


F;  •  He  Ag  :  type  F,  X  G  Ag  He  -D  data 
F  He  VX  :  Aq^D  data 

F;  •  He  Ad  :  type  F,  X  G  Ad  He  D  data 
F  He  3X  :  Ad-D  data 

F  He  Di  data  F  He  D2  data 


•  dataforall 


dataexists 


F  He  Di  A  D2  data 

F  He  Dx  data  F  He  D2  data 
F  He  V  D2  data 

F  He  G  goal  F  He  -D  data 


dataand 


dataor 


F  He  G  — D  data 

- datatrue 

F  He  1  data 

F;  •  He  K  kind  F;  •  He  Ad  '  K 


dataimp 


datatype 


F  He  Ad  data 
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A.2.4  Typing  rules  for  programs 
Judgment; 

r  hs  F  e  G 

Rules: 

hs  FijX  6  G,  r2  ctx 
Ti,XeC,  Tal-sXeG' 


[-£  r  ctx 

const  for  c  :  Aq  defined  in  S 

r  hs  c  6  Aq 

i-£  r  ctx 

- R1 

r  Hs  (unit)  G  1 

ri-sFiGGi  ri-EF2eG2 

- ^ ^ 

r  l-E  (pair  Pi  P2)  €  Gi  A  G2 

n-sFeGi  ^  ri-EF€G2 

- RVi  - RV2 

ri-s  (inlF)  gGi  VG2  ri-E  (inrP)  €Gi  VG2 

T,X  eDh^PeG 

z  ^  ^  ^ 

r  l-E  (fun  X.P)  eD^G 

r,  y  e  I-E  [y/x]p  g  [y/x]  (G) 

r  l-E  (fun  X.P)  G  VX  :  Ad.G 


rhsF'GAc  rhsFG  [F7X](G) 

- R3 

r  hs  (inx  P'  P)  G  3X  :  Aq.G 


T.XgGI-sPgG 

- rec 

r  l-E  (rec  X.P)  G  G 


with  P  \.  X 


Fi,  X  G  Di  A  D2,  F2,  Xi  G  Di,  X2  G  D2  P  £  G  ^ 
Fi,  X  G  A  D2,  F2  hs  (case  X  of  (pair  Xj  X2)  F)  G  G  ^ 


A.2.  JUDGEMENTS  FOR  MLF 

ri,xei>iVP2,r2,Xi6Dii-sPi€G  Ti,x  e  DiV  D2,T2,X2  e  D2\-b  P2  e  G 

ri,X€Gi^D,r2hsPi  €Gi  Ti,x  eGi^  d,T2,y  e  DFEP2eG2 

ri,X  eGi  D,T2  hs  (let  (appX  Pi)  be  Y  in  Pj)  e  G2  ^ 

Ti,XeW  :  Ag.D,  T2  1-s  Pi  €  Ti,X  eW  :  Aq.D,  r2,  Z  6  [Pi/Y]{D)  hs  Pj  e  G 
TuX£YY  :  Ag.D,  T2  hs  (let  (app  X  Pi)  be  Z  in  Pj)  G  G 

ri,x  e  3y :  Ac.p,r2,Xi  e  a^,  A2  €  [Xi/y]{d)  Ks  p  e  g 

Fi,  X  e  3F  :  Ad.D,  T2  h-s  (case  X  of  (inx  Xi  X2)  P)  €  G 

Fi,  A"  €  Ila;  :  A(j.A£),F2  Fs  M  €  Ag 

Fi,  A"  €  Ha;  :  Ag.Ad,T2,Y  e  {M/a;}type(A£))  hs  P  G  G 

- ^ - - - Ln 

Fi,X  ena;  :  Ag.  Ad,  F2  l-E  [XM/y](P)  €  G 

Fi ,  X  e  TIFTa^:!^,  F2  hs  z  G  A^ 

Fi,X  G  na:  :  AG.AD,F2,y  G  {y/a;}type(AD)  hs  P  G  G 


Fi,X  G  na:  :  Ag.Ad,F2  l-E  [X^y](P)  G  G 

FhsMGA^  F,y  G{M/a;}type(AD)h-sPeG 

- - - — - LnS  whei 

F  hs  [c  M/y](P)  G  G 

FhsZGA^  F,y  G  {y/:t}type(AD)  hr  P  G  G 

- ^ - LnSV  whei 

F  He  [cy/y](P)  G  G 


LnS  where  c  :  Ha;  :  Ag-Ad  G  E 


LnSV  where  c  :  Ha;  :  Ag-Ad  G  S 


for  all  «  <  n 

He  [p/x](r)ctx  ri-EP6  3i^  A<‘),[0(*)](p)i-s/><i)£[e«](G') 


[p/AKH  hs 


case  P  of 

Cl  ^  [>)](p<‘>) 


€  [P/A1(G) 


^  y"(^) 

’zJZLil. 


[,i(p<")) 


where  following  side  conditions  hold: 


1.  Inds,r(X,  AgO  =  0(i))..(AW,  0(™))} 

2.  There  is  a  77  s.t.  [i7](AgO  =  Ag,  [»?](F')  =  F  and  [j7](G')  =  G 


FiKePgG  Fi,XgG,F2I-eP'gG 

- cut 

Fi,  [P/X](F2)  f-E  [P/X](P')  G  [P/X](G) 
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A. 2. 5  Typing  rules  for  object  context 
Judgment: 


r  l-E  A  objctx 


Rules: 

- objctxemp 

r  hs  •  objctx 

r  l-£  A  objctx  F;  A  hs  A^  :  type 

- objctxcons 

r  l-£  A,  X  :  Ad  objctx 


A. 2. 6  Typing  rules  for  kinds 
Judgment: 


F;  A  l-E  A  kind 


Rules: 


- kindtype 

F;  A  hs  type  kind 


F;  A  hs  Aq  :  type  F;  A,  x  :  Aq  Fs  K  kind 
F;  A  hs  Fix  :  Aq-  K  kind 
Note,  that  every  Aq  is  also  an  Ad- 


kindpi 


A. 2. 7  Typing  rules  for  atomic  types 
Judgment: 


Rules: 


F;Ahs  Ap-.K 


S(a)  =  K 

- typeatomconst 

F;  A  hs  a  :  A 

F;  A  hg  Ap  ;  Ilx  :  Aq-  K  F;  A  Fs  M  :  Aq 
F;Ahs  (Ap  M)  :  {M/x}ki„d(A) 

F;  A  hs  Ap  -K  K  =  K'  F;  A  hs  A' :  kind 


F;AhE  Ap;  A' 


typeatomapp 


typeatomequiv 


A.2.  JUDGEMENTS  FOR  MLF 
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A. 2. 8  Typing  rules  for  goal  types 
Judgment: 

r;AhsAG:A 

Rules: 

No  new  rules 

A. 2. 9  Typing  rules  for  data  types 
Judgment: 

T-,A\-j^Ad:K 

Rules: 

T;  A  hs  Ag  :  type  T;  A,  x  :  Ag  Hs  Ad  :  type 
F;  A  hs  IIx  :  Ag-  Ad  '  type 

A. 2. 10  Typing  rules  for  objects  of  atomic  type 
Judgment: 

F;  A  hs  M  :  Ap 

Rules: 
no  rules 


A. 2. 11  Typing  rules  for  objects  of  goal  type 
Judgment: 

F;AI-sM:Ag 


Rules: 

Impure  MLF: 


Pure  MLF: 


F  hs  P  e  Ag 
F;AI-s  P:  Ag 


objgoalprgi 


F(X)  =  Ag 


typedatapi 


r;AhsX:  Ag 


objgoalprgP 
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A. 2. 12  Typing  rules  for  objects  of  data  type 
Judgment: 


r;AhsM:AD 


Rules: 


A(a;)  =  Ad 

- objdatasigma 

r;Ahsa;:  Ad 


S(c)  =  Ap 
F;  A  t-2  c  :  Ad 


objdataconst 


F;  A  l-£  Ml  :  Ila;  :  Aq-  Ad  F;  A  hs  :  Aq 
F;AhE  {Ml  M2):  Ad 


objdataapp 


F;  A,a; :  Ag  l-E  M  :  Ad 

— - objdatapi 

F;  A  [“£  Xx  :  A©.  M  :  IIx  :  Aq.  Ad 


F;  A  He  M  :  Ad  Ad  =  Ad  F;  A  hs  Ad  :  type 
F;AhsM:  Ad' 


objdataequiv 


no  rules  for  typing  programs 


A. 2. 13  Congruence  relation  for  kinds 
Judgment: 


Ki  =  K2 

Rules: 

same  as  in  LF  [Pfe92,  HHP93]. 

A. 2. 14  Congruence  relation  for  atomic  types 
Judgment: 


Api  =  Ap2 


A.2.  JUDGEMENTS  FOR  MLF 
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Rules: 

transitivity  and  congruence  as  in  LF. 

A. 2. 15  Congruence  relation  for  goal  types 
Judgment: 


Aqi  =  Ag2 

Rules: 

similar  to  Subsection  A.2.14. 

A. 2. 16  Congruence  relation  for  data  types 
Judgment: 

Adi =  Ad2 

Rules: 

transitivity  and  congruence  rules  as  in  LP. 

A. 2. 17  Congruence  relation  for  objects 
Judgment: 


Ml  =  M2 


Rules: 


- - objbeta 

{Xx  :  Ag.  M)N  =  {N/xUject(M) 


- objeta 

(Xx  :  Ag.  (M  x))  =  M 

Impure  MLF: 

- objprgi 

P  =  P 


Pure  MLF: 

- objprgP 

X  =  X 


transitivity  and  congruence  as  in  LF. 
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Appendix  B 


Purity  proofs 

Lemma  4.1  Let  M'  he  a  pure  object,  A'  a  pure  type,  and  0  a  strictly  pure  substitution,  i.e. 
©(A)  =  Y  or  ©(A)  =  M  for  all  X  G  dom{&).  Then  Q{M')  is  pure  and  ©(A')  is  pure. 

Proof:  by  mutual  induction  over  the  structure  of  A' ,  M'. 

Case:  M'  =  X.  If  ©(X)  =  Y  then 

[0]object(M')  =  [©]object(Z)  =  [0]  program  =  Z 

which  is  pure.  Note,  that  X  =  Y  is  possible.  In  the  other  case,  if  0(X)  =  M,  then 

[0]object(M')  =  [©]object(Z)  =  M 

is  pure. 

Case:  M'  =  x. 

[0]object(A/  )  =  [0]object(^)  ~  ® 

is  pure. 

Case:  M'  =  c. 

[0]object('^  )  ~  [0]object(c)  =  C 

is  pure. 

Case:  M'  =  Xx  :Ag'.M". 

[0]object(Af')  =  [0]object(Aa;  :  Aa'-  M")  =  Xx  :  [0]type(^GO-  [0]object(M") 
Induction  hypothesis  gives  us  that  [0]type(>lGO  ^-nd  [0]object(Af”)  are  pure.  Therefore 

[0]object(M')  is  pure. 

Case:  M' = 

[0]object(M')  =  [0]object(M'  M')  =  ([0]  object  (Mi)  [0]object(Mi)) 

Induction  hypothesis  gives  us  [0]object(Mi),  [0]object(Mi)  are  pure.  Therefore  [0]object(M') 
is  pure. 
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Case:  A'  =  a: 

[0]type(AO  =  [0]type(a)  =  « 

is  pure. 

Case:  A'  =  Bx  :  A\. 

[0]type(AO  =  [0]type(na:  :  A')  =  Hx  :  [0]type(A;).  [0]type(A'2) 

Induction  hypothesis  gives  us  [0]type(-Ai),  [0]type(Ay  are  pure.  Therefore  [0]type(^O  is 
pure. 

Case:  A'  =  {A'l  M\). 


[®]type('^  )  —  [0]type(Ai  M^)  —  ([0]type(^l)  [0]object('^l)) 

Induction  hypothesis  gives  us  [0]type(A'i),  [0]object(Afi)  are  pure.  Therefore  [0]object(Af') 
is  pure. 

□ 


Lemma  4.2  Let  O  be  a  substitution  and  [0](M)  be  a  pure  object.  Then  M  is  pure. 

Proof:  Assume  the  contrary.  M  is  not  pure  implies  [0](Af)  not  pure:  There  is  a  subobject  Mi 
of  the  form  JP,  and  P  ^  X  &  variable  name. 

[0](Mi)  =  [0](P)  =  [0](F)  #  [0](y) 

Since  [0](Mi)  is  a  subobject  of  [0](M),  [0](M)  cannot  be  pure.  □ 

Lemma  4.3  Let  Q  be  a  substitution  and  [0]  (A)  be  a  pure  type.  Then  A  is  pure. 

Proof:  Assume  the  contrary.  A  is  not  pure  implies  [0](A)  not  pure:  There  is  a  syntactical 
subtype  of  the  form  (Ai  M),  with  M  not  pure.  By  lemma  4.2  we  obtain  [0](M)  not  pure. 
Therefore  [0]  ( Ai  M)  is  not  pure,  and  since  this  is  a  syntactical  subtype  of  [0]  (A) ,  it  cannot  be 
pure.  □ 

Lemma  4.4  Let  0  be  substitution,  M  object  and  [O]  object  {M)  pure  and  A  be  a  type  and 
[0](ype(A)  pure.  Then  Q\Free(M)  uaust  be  strict  and  0|irree(A)  strict. 

Proof:  By  lemma  4.2  we  have  M  is  pure.  Proof  by  mutual  induction  over  the  structure  of  M 
is  pure  and  A  is  pure. 

Case:  M  =  X_  then 

[0]object(M)  =  [0]object(X)  =  M' 

where  M'  G  {T,  c,  Aa;  :  Aq" ■  M^')}  which  must  be  the  domain  of  0,  therefore 

0|{X}  is  strictly  pure. 
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Case:  M  =  x. 

[0]object(^^)  ~  ® 

0  doesn’t  do  anything  in  this  case,  therefore,  0|0  is  strictly  pure. 

Case:  M  =  c. 

[0]  object  (■^)  —  C 

Therefore  0|0  is  strictly  pure. 

Case:  M  =  Xx  :  Aq-  Mi- 

[®]object(^l^)  —  [0]object(‘^®  •  Aq.  Mi)  =  Xx  I  [0]type(AG!).  [0]object(-^l) 

Ag  pure  type  and  [0]type(^G)  pure .  gives  us  0|Free(AG)  is  strict.  Mi  pure 

type  and  [0]object(Mi)  pure  gives  us  0|Free(Mi)  is  strict.  Therefore  Q\Free{M)  = 
0|Free(AG)uFree(Mi)  =  0|Free(^G)  ®lFree(M2)  is  Strict. 

Case:  M  =  (Ml  Ms). 

[0]object(M^)  =  [0]object(Ml  M2)  =  ([0]object(Afl)  [0]object(M2)) 

Ml  pure  type  and  [0]object(.^i)  pure  gives  us  0|Free(Mi)  is  strict.  Ms  pure 

type  and  [0]object(Afs)  pure  gives  us  0|Free(M2)  is  strict.  Therefore  0|Free(M)  = 
0|Free(Mi)uFree(M2)  =  0|Free(Mi)  U  0|Free(M2)  i®  Strict. 

Case:  A  =  a: 

[0]object(.^)  ~  [0]object(®)  “  ® 

0I0  is  strictly  pure. 

Case:  A  =  Ila;  :  Ai.  As. 

[®]type(-A)  =  [0]type(na;  :  Ai.  As)  =  Ila;  :  [0]type(^l)-  [©]type(-42) 

Ai  pure  type  and  [0]type(^i)  pure  gives  us  0|Free(^i)  is  strict.  As  pure  type  and 
[0]type(^2)  pure  gives  us  01irree(A2)  i®  Strict.  Therefore  0|Free(A)  =  0|Free(2lOuFree(yl2)  = 
0lFree(Ai)  U  ®\Free(A2)  i®  Strict. 

Case:  A  =  (Ai  Mi). 


[0]type(A)  =  [0]type(Al  Ml)  =  ([0]type(Al)  [0]object(Mi)) 

Ai  pure  type  and  [0]type(^i)  pure  gives  us  0|Free(Ai)  i®  strict.  Mi  pure  type 
and  [0]object(Mi)  pure  gives  us  0|Free(Mi)  is  strict.  Therefore  0|Free(>l)  = 
0|Free(Ai)uFree(Mi)  =  0|Free(Ai)  U  ©If  ree  (Mi)  is  strict. 

□ 


Lemma  4.5  Let  P'  be  a  pure  program  and  0  a  strictly  pure  substitution.  Then  0(P')  is  pure. 
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Proof:  by  induction  over  the  structure  of  P'. 

Case:  P'  =  X.  If  [0]program(-^)  =  y  then 

[0]prosrain(^"')  =  [0]pro6ram(X)  =  Y 
which  is  pure,  else  if  [0] program  (^)  =  M'  then 

[0]prosram(PO  =  [0]program(M^)  =  [0]object(MO 

which  is  pure  because  of  lemma  4.1  [0]object('^O  pure.  Else 

[0]program(-PO  =  [0]  program  =  N 

which  is  pure  by  definition. 

Case:  P'  =  (unit)  is  pure  by  definition. 

Case:  P'  =  (recXP")- 

[0] program (-P  )  —  [0]program(^®e  X.P  )  =  (tSC  .X^.[0]program(P  )) 
is  pure  because  [0]program(P”)  is  pure  by  induction  hypothesis. 

Case:  P'  =  (fun  X.P")  analog. 

Case:  P'  =  (pair  P[  PI^)  analog. 

Case:  P'  =  (ini  P")  analog. 

Case:  P'  =  (inr  P")  analog. 

Case:  P'  =  (inx  P[  Pj)  analog. 

Case:  P'  =  (app  P[  P2)  analog. 

Case:  P'  =  (let  be  X  in  P2). 

[0]program(P  )  —  [0]program(l6t;  P y  be  X  in  P2)  —  (ist  [0]program(P l)  he  Y  in  [0,  program (P 2)) 

Because  of  induction  hypothesis  [0]program(PO  is  pure,  and  since  Q^Y/X  is  also  strict, 
[0,y/X]program(P2)  is  pure  by  induction  hypothesis. 

Case:  P'  =  W. 

[0]program(PO  =  [0]program(M')  =  [0]object(jM'') 

which  is  pure  because  [0]object(M')  is  pure  by  induction  hypothesis. 
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Case:  P'  = 


(  case  P  of  \ 

Q(i)  P(i) 

1  gW  =>  p{^)  j 


[0]  program  (PO  —  [0]program( 


/  case  P  of  \ 

g(^)=^p(i) 

\  I  g(")  pi-^)  ) 


) 


(  case  [0] program (-P)  \ 

[^ljprogram(Q^^^)  ^  [0  O  ^l] program 

V  I  [^l]program(<3^"'^)  [0  ®  '®'n]program(-P^”^)  j 


is  pure,  because  [0]program(P)  is  pure,  0  o  is  strictly  pure  —  this  is  because  is 
only  a  variable  renaming  substitution  —  and  [0  o  ®fc]program(P^*'^)  are  pure  for  A;  <  n  by 
induction  hypothesis. 


□ 


Lemma  4.6  Let  S  be  a  substitution  and  [0](P)  be  a  pure.  Then  P  is  pure. 

Proof:  Assume  the  contrary.  P  is  not  pure  implies  [0](P)  not  pure:  There  is  a  syntactical 
subprogram  of  the  form  M,  with  M  not  pure.  By  lemma  4.2  we  obtain  [0](M)  not  pure. 
Therefore  [0](M)  is  not  pure,  and  since  this  is  a  syntactical  subprogram  of  [0](P),  it  cannot  be 
pure.  □ 

Lemma  4.7  Let  G'  be  a  pure  formula  and  0  a  strictly  pure  substitution.  Then  Q(G')  is  pure. 

Proof:  by  induction  over  the  structure  of  G'. 

Case:  G' =  'iX  :  A'.G"-. 

[0]formula(G')  =  [0]formula(VX  :  A'.G")  =  W  :  [e]type(A)  [0  O  (y/A)]formula(G") 

is  pure  because  [0]type(^)  is  pure  due  to  lemma  4.1,  0o(y/A)  is  a  strictly  pure  substitution 
and  [0  o  (y/A)]formula(G”)  is  pure  by  induction  hypothesis. 

Case:  G' =  3X A'.G":  analog 

Case:  G'  =  G'^AG'2. 

[0]formula(G')  =  [0] formula (<^1  l^G'2)  =  [0]formula(Gi )  A  [©IformulaC^^) 

is  pure  because  [0]formuia(G'i))  [0]formuia(G2)  pure  by  induction  hypothesis. 

Case:  G'  =  G'l  V  analog. 
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Case:  G'  =  G[  G^:  analog. 

Case:  G'  =  1  is  pure  by  definition. 

Case:  G'  =  A': 

[0]formula(G^  )  =  [0]formula(-d.^)  =  [0]forinula(-d^^) 

is  pure  because  [0]formuia(-4O  lemma  4.1. 


□ 


Lemma  4.8  Let  Q  be  a  substitution  and  [©](G)  be  a  pure  formula.  Then  G  is  pure. 

Proof:  Assume  the  contrary.  G  is  not  pure  implies  [0](G)  not  pure:  There  is  a  syntactical 
subprogram  of  G  of  the  form  A,  with  A  not  pure.  By  lemma  4.3  we  obtain  [0](A)  not  pure. 
Therefore  [0](A)  is  not  pure,  and  since  this  is  a  syntactical  subprogram  of  [0](G),  it  cannot  be 
pure.  □ 

Lemma  4.9  Let  0  be  substitution,  G  formula  and  [Q]formula{G)  pure.  Then  0|Free(G)  strict. 

Proof:  By  lemma  4.8  we  have  G  is  pure.  Proof  by  mutual  induction  over  the  structure  of  G  is 
pure. 

Case:  G  =  VA  :  Ai.Gi: 

[0]formula(G)  =  [0]formula(VX  :  Ai  .Gi)  =  W  :  [0]type(Al)  [0  O  (y/X)]f„™ula(Gl) 

Ai  pure  type  and  [0]type(>li)  pure  gives  us  0|Free(>ii)  is  strict  by  lemma  4.4.  Gi  pure 
formula,  therefore  [y/X]formula(G'i)  pure  formula.  [0  o  (y/A)]formula(Gi)  pure  implies 
[0]formula([y/-’^]formula(G'l))  giveS  US  0lFree([K/J!r]f„rmula(®l))  induction  hypoth¬ 

esis.  Therefore  0|Free(G)  =  0|Free(yli)uFree(Gi)\{A’}  =  0|Free(Ai)  U  0|Free(Gi)\{jy}  = 

0|Free(^l)  U©lFree([y/X]formula(^?l) 

Case:  G  =  BA  :  Ai.Gi:  analog 
Case:  G  =  Gi  AGs: 

[0]formula(G)  ~  [0]formula(Gl  A  Gs)  =  [0]formula(G^l)  A  [0]formula(G2) 

Gi  pure  formula  and  [0]type(Gi)  pure  gives  us  0|Free(Gi)  is  strict  by  induction  hypothesis. 
Gs  pure  formula  and  [0]type(G'2)  pure  gives  us  0|Free(G2)  is  strict  by  induction  hypothesis. 
Therefore  0|Free(G)  =  0|Free(Gi)uFree(G2)  =  0iFree(Gi)  U  0lFree(G2)  is  Strict. 

Case:  G  =  GiVG2:  analog 

Case:  G  =  Gi  G2:  analog 

Case:  G  =  1  is  pure  by  definition. 
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Case:  G  =  A: 

[0]formula(G^)  —  [0]formula('^)  ”  [®]type(-^) 

A  pure  type  and  [0]type(>l)  pure  gives  us  0|ir^ee(A)  is  strict  by  lemma  4.4.  Therefore 
0|jPree(G)  ®lFree(>l)  is  Strict. 

□ 

Lemma  4.10  Let  F'  be  a  pure  context  and  0  a  strictly  pure  substitution.  Then  0(r')  is  pure. 
Proof:  by  induction  over  the  structure  of  F. 

Case:  F'  =  •  is  pure  by  definition 

Case:  V  =  T",  X  e  D' U  X  e  dom(0),  we  get 

[0]context(r')  =  [0]context(r",  X  €  D')  =  [0]context(r") 

is  pure  because  of  induction  hypothesis.  If  X  ^  dom(0),  we  get 

[0]context(F')  -  [0]context(r",X  G  D^)  =  [0] context (F")  ,  ^  €  [0]formula(i^O 

which  is  pure  because  [0]context(r")  because  of  induction  hypothesis  and  [0]formula(^O  is 
pure  because  of  lemma  4.7. 

□ 


Lemma  4.11  Let  Q  be  a  substitution  and  [0](F)  be  a  pure  context.  Then  F  is  pure. 

Proof:  Assume  the  contrary.  F  is  not  pure  implies  [0](F)  not  pure:  There  is  a  syntactical 
subcontext  of  F  of  the  form  Fi,X  G  D,  with  D  not  pure.  By  lemma  4.8  we  obtain  [0](i5)  not 
pure.  Therefore  [0](Fi,  A  G  D)  is  not  pure,  and  since  this  is  a  syntactical  subcontext  of  [0](F), 
cannot  be  pure.  □ 

Theorem  4.12  Every  typing  rule  in  MLF  without  cut  is  purity  preserving.  That  is,  when  the 
premisses  are  pure  ( all  participating  objects,  types,  programs,  formulae,  and  contexts  are  pure ) 
the  conclusion  will  be  pure,  too. 

Proof:  Case:  id  preserves  purity:  Under  the  assumption  that  Fi,  A  G  C,  F2  is  pure,  it  follows 
trivially  that  A  is  pure  and  C  is  pure. 

Case:  const  preserves  purity  because  F  is  assumed  to  be  pure. 

Case:  Rl:  analog. 

Case:  RA:  F  pure,  Pi,P2  pure,  and  Gi,G2  pure  implies  (pair  Pi  P2),  Gi  AG2  pure. 

Case:  RVi:  analog 
Case:  RV2:  analog 
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Case:  R  — analog 

Case:  RV:  Under  the  assumption  that  T  is  pure,  and  Ad  is  pure,  and  because  of  lemma  4.6 
and  lemma  4.8  we  can  conclude  that  P  and  G  are  pure,  and  therefore  (fun  X,P)  and 
yx  :  Ad -G  are  pure. 

Case:  R3:  Under  the  assumption  that  F  is  pure,  P,  P'  are  pure,  [P^/X]{G)  is  pure  and  Aq 
pure,  we  obtain  by  lemma  4.8  that  G  is  pure.  Consequently  (inx  P'  P)  and  3X  :  Aq-G 
are  pure. 

Case:  rec:  analog 
Case:  LA:  analog 
Case:  LV:  analog 
Case:  L  — >■:  analog 
Case:  LV:  analog 
Case:  L3:  analog 

Case:  LII:  Assume  Fi,  X  G  Ha:  :  Aq-Ad^  F2  is  pure,  M  is  pure  and  Aq  is  pure.  From  the  second 
premiss  we  can  assume  additionally  that  P'  is  pure.  Hence,  since  [X  M/P]  is  a  strictly 
pure  substitution,  it  follows  from  lemma  4.5  that  [X  M/P](P')  is  pure. 

Case:  LHE:  analog 

Case:  case':  We  can  assume  F  to  be  pure,  therefore  [P/X]  is  strictly  pure  and  by  lemma  4.10  we 
obtain  [P/X](F)  is  pure.  From  lemma  4.7  we  obtain  that  [P/X](G)  is  pure.  By  assumption 
Ag  is  pure,  therefore  P  is  a  pure  type.  ^(AgO  is  pure  by  the  side  condition  of  the  rule, 
therefore  v\Free(AG')  strictly  pure  by  lemma  4.4.  Since  rj  =  '7ljrree(>iG')’  ^  ^  strictly 

pure  substitution.  Consequently  for  all  i:  [?7](P^^^)  is  pure,  and  therefore  the  proof  term  is 
a  pure  program. 

□ 

Theorem  4.13  (Generalized  Purity  Preservation)  Let  V  be  a  pure  context^  G  a  pure  for¬ 
mula^  P  a  program f  and  V  a  derivation  of  V  ::  T  \-y;  P  £  G  in  the  inference  system  of  pure  MLF 
without  Cut,  Then  P  is  pure. 

Proof:  By  induction  over  the  derivation  V: 

Case:  id  preserves  purity:  Under  the  assumption  that  Fi,X  G  C,  F2  is  pure,  it  follows  trivially 
that  X  is  pure  and  C  is  pure. 

Case:  const  preserves  purity  because  F  is  assumed  to  be  pure. 

Case:  Rl:  analog. 
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Case:  RA:  T  pure  and  Gi,G2  pure  implies  that  Pi,  P2  pure,  which  implies  (pair  Pi  P2),  G1AG2 
pure. 

Case:  RVi:  analog 

Case:  RV2:  analog 

Case:  R  F  pure  and  D, G  pure,  therefore  r,X  £  D  pure.  Induction  hypothesis,  gives  as  a 
pure  P,  and  therefore  (fun  X.P)  is  pure. 

Case:  RV:  F  pure  and  Ac,  G  pure,  therefore  F,y  G  Ac  pure.  Since  [y/X](G)  is  pure,  induction 
hypothesis  yields  a  pure  program  [y/X](P).  Therefore  (fimX.P)  is  pure. 

Case:  R3':  F  pure,  Aa,G  pure.  Y  as  the  result  of  the  first  premiss  is  pure.  Since  [y/X]  is 
strict,  [Y/X](G)  is  pure,  which  yields  a  pure  P.  Therefore  (inx  Y  P)  is  pure. 

Case:  R3":  F  pure,  Ag,G  pure.  M  as  the  result  of  the  first  premiss  is  pure.  Since  [M/X]  is 
strict,  [M/X]{G)  is  pure,  which  yields  a  pure  P.  Therefore  (inx  M  P)  is  pure. 

Case:  rec:  analog  to  R  ^ 

Case:  LA:  Fi,X  €  DiAD2,T2  is  pure,  therefore  Fi,X  G  DiAD2,T2,Xi  G  Pi,X2  G  D2  is  pure. 
G  is  pure  by  assumption,  therefore  P  is  pure,  which  yields  (case  X  of  (pair  Xi  X2)  P) 
to  be  pure. 

Case:  LV:  analog  to  LA. 

Case:  L  analog  to  LA. 

Case:  LV':  Fi,X  G  VT  :  Ag.D,T2  is  pure,  Ag  is  pure.  Ti  as  a  result  of  the  first  premiss  is 
pure.  Since  [Ti/y]  is  strict,  and  D  is  pure,  \YilY\{D)  is  pure.  Induction  hypothesis  on 
the  second  premiss  yields  P2  is  pure,  and  therefore  (let  (app  X  Ti)  be  Z  in  P2)  is  pure. 

Case:  LV":  Fi,X  G  Vy  :  Ag.P,  F2  is  pure,  Ag  is  pure.  M  as  a  result  of  the  first  premiss  is 
pure.  Since  [M/y]  is  strict,  and  D  is  pure,  [M/y](P)  is  pure.  Induction  hypothesis  on 
the  second  premiss  yields  P2  is  pure,  and  therefore  (let  (app  X  M)  be  Y  in  P2)  is  pure. 

Case:  L3:  analog  to  LA. 

Case:  LII:  Fi,X  G  Ha;  :  Ag.Ab,V2  is  pure  by  assumption,  therefore  M  is  pure.  Ha;  :  Aq.Ad 
is  pure,  M  is  pure,  therefore  {M/x}type(A£))  is  pure,  therefore  the  context  for  the  second 
premiss  is  pure,  and  the  induction  hypothesis  yields  P  pure.  Since  [X  M/y]  is  strict, 
[XM/y](P)  is  pure. 

Case:  LIIS:  analog 

Case:  case':  [P/X](F)  is  pure.  If  X  G  Pree(F)  then  F  is  pure  by  lemma  4.6,  else  F  is  pure.  If 
X  G  Free(G)  then  G  is  pure  by  lemma  4.8,  else  G  is  pure.  Ag  is  pure  and  Ag^  is  pure, 
and  therefore  [rjKAa')  is  pure.  By  lemma  4.4  we  obtain,  that  tj  =  iilFreeiAa')  strict.  We 
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have  [»?](r')  is  pure  (because  F  is  pure)  and  because  of  lemma  4.11  we  obtain  F'  is  pure. 
The  same  argument  holds  for  [r]]{G'),  which  is  pure  since  G  is  pure.  Because  of  4.8  we 
know  that  G'  is  pure,  too.  Because  of  construction  0^'^  is  pure  for  all  i.  Thus,  0(®^(F') 
is  pure.  A(0  is  pure,  too,  because  of  construction.  And  finally  0(®)((S")  is  pure  because  G 
is  pure.  Therefore  we  can  apply  the  induction  hypothesis  and  obtain  that  the  P(*)’s  are 
pure  for  all  i.  Therefore  the  are  pure,  and  hence  the  proof  term 

case  P  of 

Cl  ^...^=^[j?](P(l)) 

I  Cn  [7?1(P(")) 

is  a  pure  program. 

□ 


Appendix  C 

Local  reductions 


Lemma  4.15  (Substitution  Effects)  Let  D  be  a  data  formula,  P  a  program,  K  a  kind,  M  an 
object  and  Ap  an  atomic  type,  Aq  a  goal  type  and  Ap  a  data  type.  Let  a  be  a  strict  substitution, 
Free{(7)  fl  =  0  and  K  be  a  context  with  |-  A  ctx  which  introduces  the  new  variables  used 

in  a.  Let  T'  =  A,  [<T](r)  and  A'  =  [(t](A).  Then  for  all  F  meta  context  and  A  object  context: 


F;  A  hx;  K  kind 
F;  A  hs  Ap  :  K 
F;  A  l-£  Ag  :  K 
F;  A  hs  Ap  :  K  => 
F;  A  M  :  Ap  ^ 
F;  A  hj:  M  :  Aq 
F;  A  hx:  M  :  Ap 
T  \-Y,  D  data 
FhsPGG  ^ 
hx:  F  ctx  => 


F';A'hE  [(t]{K)  kind 
r';A'hsM(Ap)M(K) 
r'-A'h^[a]{AG)[a]{K) 
r';A'f-s[a](Az,)  [a]{K) 
r';A'hs[a](M)H(Ap) 
r';A'  hs  M(M)  [a](AG) 
r';A'  \-^[a]{M)[a]{AD) 
r'  hs  [(t]{D)  data 
r'f-s  M(p)gM(G') 

\-'£  F'  ctx 


Proof:  by  mutual  induction  on  the  participating  derivations:  Note,  T>[,  X>2  always  refer  to  the 
derivations  we  obtain  by  applying  induction  hypothesis  to  the  derivation  of  the  premiss  of  the 
rules. 

Cases  for  F;  A  hs  iF  kind: 


Case:  kindpi 


V[ 


T^'2 


r';  A'  l-E  H(Ag)  :  type  T';  A',  x  :  [o-](Ag)  hs  [a]{K)  kind 
r';A'  hs  [(t]{IIx  :  Aa.  K)  kind 


kindpi 


other  cases:  analog  or  trivial 
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Cases  for  F;  A  l-£  Ap  :  K: 
Case:  typeatomapp: 


F';  A'  hs  [(t](Ap)  :  Ex  :  [a](AG).  [a]{K)  F';  A'  [a]{M)  :  [cr](AG) 


F';  A'Fs  (M(Ag)  M(M))  :  [a]{{M/x}{K)) 


typeatomapp 


Case:  typeatomequiv: 


F';  A'  hs  [cr](Ap)  :  [(t]{K)  [a]iK)  =  [ct]{K')  F';  A'  hs  [cr](iF')  :  kind 


F';A'hE  [a]{Ap):[a]{K') 


typeatomequiv 


Cases  for  F;  A  hj;  Aq  '■  K : 


All  cases:  same  as  F;  A  hs  Ap  :  K 
Cases  for  F;  A  hs  Ad  :  K: 

Case:  typedatapi: 


F';  A'  hs  [cr](AG)  :  type  F';  A',  x  :  [o-](Ag)  hs  M(A£»)  :  type 
F';A'  l-E[(T](na::AG.Ao):type 
other  cases:  analog  or  trivial  or  as  F;  A  Ap  :  K 
Cases  for  F;  A  hs  M  :  Ap,F;  A  M  :  Aq  and  F;  A  M  :  Ap: 

Case:  objdatapi 


•typedatapi 


F';  A', X  :  [(t](Ag)  I-s  H(Af)  : 

F';  A'  hs  [(t]{Xx  ;  Ag-  M)  :  [a](na: :  Ag-  Ad) 


objdatapi 


Case:  objdataapp 


F';  A'  hs  Mi-.Ex:  H(Ag).  M(Az,)  F';  A'  Hs  M(M2)  :  [a](AG) 


F'lA'hs  M(MiM2):M(Az3) 


objdataapp 


Case:  objdataequiv 


F';  A'  l-E  [a](M)  :  [cr](AG)  [o-](A£))  =  MCAg')  F';  A'  hs  [o-](Ag')  :  type 

F';A'  hs  [a]{M):[(T]{AD') 


objdataequiv 


Case:  objgoalprgl 


r^^£[cT](P)€[(7](AG) 
r';A'l-E  [a]iP):[a]iAG) 
other  cases:  analog  or  trivial 
Cases  for  F  D  data: 

Case:  dataforall 


objgoalprgl 


F', .  hs  [cr](Ac?)  :  type  F',X  G  [(t]{Ag)  He  [(r]{D)  data 
F  hE  M(VX  :  Ag^D)  data 


dataforall 


Case:  dataand 


F  (“E  [o‘]{Di)  data  F  Ke  M(F^2)  dsita 
F  h-E  [o']{Di  A  D2)  data 


dataand 


Case:  datatype 


r'; .  hs  [a]{K)  kind  T;  •  hs  [(7]{Ad)  :  [(7]{K) 
F'  l-E  [^]{Ad)  data 


datatype 


other  cases:  analog  or  trivial 
Cases  for  I-e  F  ctx: 


Case:  ctxcons 


V[  P' 

l-E  F'  ctx  F'  He  [(t]  (D)  data 


hE  T',X£[a]{D)  ctx 


•  ctxcons 


other  cases:  analog  or  trivial 


Cases  for  F  Ke  P  G  G:  straightforward 


Lemma  4.14  (Context  extension)  Let  Fi,F2  be  contexts^  s,t.  Ke  Fi,F2  ctx.  Let  D  be  for¬ 
mula,  s.t.  Fi  l-E  D  data,  then  I-e  Fi,X  G  D,V2  ctx 


Proof:  by  structural  induction  over  the  form  of  F2: 

Case:  F2  =  •:  We  have  He  Fi  ctx.  Since  £  ::  Fi  He  D  data  we  have  He  Fi,X  G  D  ctx 
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Case:  r2  =  G  D:  By  inversion  we  obtain  hj;  ri,r2  ctx.  By  induction  hypothesis,  we 

obtain  hs  Fi,  X  G  jD,  ctx  and  by  application  of  the  context  formation  rule,  we  obtain 
hs  Fi,X  G  F2  ctx. 


□ 

Lemma  4.16  (Weakening)  Let  V  ::  Fi,F2  1-eP  £  G,  S  ::  Tih^D'  data  and  X'  ^ 
dom(Fi,F2),  then  X>[Fi  £  D']  ::  Fi,X^  G  f?^F2  P  £  G  where  X'  is  new  meta  vari¬ 
able  and  D'  is  a  data  formula,  depending  only  on  variables  in  Fi. 

Proof:  by  induction  over  the  derivation  T>: 

Case:  id 

l“E  Fi,  F'l,  X  G  C,  F2  ctx  by  assumption 

l“E  Fi,  X'  G  D',  F'^,  X  G  C,  F2  ctx  bylemma  4.14  and  by  assumption 

Fi,  X'  G  D',  Fj,  X  G  C,  F2  hs  X  G  C  Apply  id 

alternative  analog 

Case:  Rl:  follows  directly  from  lemma  4.14  and  assumption 
Case:  const:  follows  directly  from  lemma  4.14  and  assumption 
Case:  RA 


Fi, F2  Hs  Pi  €  by  assumption 

=>  Ti,X' £  D',T2p-£  Pi  £  Gi  by  hyp. 

Fi ,  F2  1“E  P2  G  G2  by  assumption 

=P  Fi,  X' G  F2  l“E  P2  €  G2  by  hyp. 

^  Fi,X' G  P',  F2  Fe  (pair  Pi  P2)  G  Gi  A  G2  Apply  RA 


Case:  RVi 

Fi,F2  FsPeGi 

^  Fi,X'gP',F2FeP€Gi 

=5^  Fi,X'gP',F2Fs  (inlP)  GG1VG2 


by  assumption 
by  hyp. 
Apply  RVi 


Case:  RV2 


Fi,F2  hEPGG2 

Fi,X'GP',F2FEPeG2 
^  Fi,X'gP',F2Fe  (inlP)  GG1VG2 


by  assumption 
by  hyp. 
Apply  RV2 
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Case:  R 

Ti,T2,X  £  D  \-£  P  £  G  by  assumption 

ri,X'  eD',V2,X  eDh^PeG  by  hyp. 

Ti,  X'  e  D',  T2  l-E  (fun  X.P)  eD^G  Apply  R  ^ 


Case:  RV 


ri ,  r2,  y  G  Ac  t-s  [Y/x]p_e  [y/x] (g) 

=»  Ti, X'  e  D\  r2, y  e  Ac  hs  [y/x]p  e  [y/x](G) 

^  ri,X'€P',r2l-E  (funy.P)  gVX:Ac.G 


by  assumption 
by  hyp. 
Apply  RV 


Case:  R3 


Ti,  r2  l“E  P^  G  Ac  by  assumption 

^  Ti,  X'  €  P',  r2  l-E  P'  G  A^  by  hyp. 

Ti,  r2  [“E  P  G  [PV-^](<j')  by  assumption 

^  ri,X'GP',r2l-EPG[P'A](G')  by  hyp. 

Ti,  X'  G  P',  r2  l-E  (inx  P'  P)  G  3X  :  Aq.G  Apply  R3 


Case:  rec 

by  assumption 
by  hyp. 
Apply  rec 


ri,r2,XGCi-EPGC 

ri,x'GP',r2,XGCi-EPGC 
^  ri,X'GP',r2l-E  (recX.P)  G  C 


Case:  LA 


FijX  G  Pi  A  P2,r2,r3,Xi  G  Pi,X2  G  P2  Fs  P  G  G  by  assumption 

ri,XGPiAP2,r2,X'GP',r3,XiGPi,X2GP2l-sPeG  by  hyp. 

ri,X  G  Pi  AP2,r2,X' G  P',r3  l-E  (case  X  of  (pair  Xi  X2)  P)  G  G  Apply  LA 


ri,r2,X  G  Pi  A  P2,r3,Xi  G  Pi,X2  G  P2  l-E  P  G  G  by  assumption 

ri,X'GP',r2,XGPiAP2,r3,XiGPi,X2GP2l-EPGG  by  hyp. 

Fi ,  X^  G  D' ,  F2 ,  X  G  Pi  A  P2 )  F3  Fe  (cas  e  X  of  (pair  Xi  X2)  P)  ^  G  Apply  LA 


Case:  LV 


a- 


130 


APPENDIX  a  LOCAL  REDUCTIONS 


Ti,X  £  DiW  £>2,  £2,  Fs,  Xi  €  -Di  l“E  Fi  €  G 

Vi,x  e  DiS/ d2,T2,x'  e  d\T3,Xi  e  Di  hsFi  eG 

)  X  G  Di  V  D2,  r2,  Fs,  X2  €  D2  Fe  P2  €  G 
Fi,  X  €  £>i  V  D2,  F2, X'  G  D',  F3, X2  G  £>2  He  P2  e  G 

case  X  of  (ini  Xi)  Pi 
I  (inr  X2)  P2 


Fi,XgPi  VP2,F2,X'GD',F3l-s 


,F2,X  g  Pi  V  P2)F3,Xi  G  Pi  He  Pi  G  G 
Fi,  X'  G  P',  F2,  X  G  Pi  V  P2,  F3,  Xi  G  Pi  He  Pi  G  G 
)  F2,  X  G  Pi  V  P2,  F3,  X2  G  P2  He  P2  G  G 
Fi,  X^  G  P^  F2, X  G  Pi  V  P2,  F3, X2  G  P2  He  P2  G  G 

case  X  of  (ini  Xi)  Pi 
I  (inr  X2)  P2 


Fi,X'gP',F2,XgPiVP2,F3He 


Case:  L  ^ 


Fi,XgGi-^P,F2,F3  HePgGi 

Fi,XgGi  ^P,F2,X'g  P',F3He  PgGi 
Fi,X  G  Gi  ^  P,F2,F3,y  G  P  He  P'  G  G2 

Fi,X  G  Gi  ^  P,F2,X'  G  P',F3,y  G  P  He  P'  G  G2 
=>  Fi,X  G  Gi  P,  F2,X'  G  P',  F3  h-E  (let  (app  X  P)  be  V  in  P')  G  G2 


Fi,F2,XgGi^P,F3  HePgGi 

=;►  Fi,X'gP',F2,XgGi^P,F3  HePgGi 

^  Fi,X'  G  P',F2,X  G  Gi  ^  P,F3,y  G  P  He  P'  G  G2 

Fi,  X'  G  P',  F2,  X  G  Gi  ^  P,  F3  He  (let  (app  X  P)  be  y  in  P')  G  G2 


Case:  LV 

Fi,XGVy  :Ag.P,F2,F3HePiG  _ 

Fi,XGVy  :Ag.P,F2,X'gP',F3HePiG  Ag 
Fi,  X  G  vy  :  Ag.P,  F2,  F3,  X  G  [Pi/y](P)  He  P2  G  G 

Fi,  X  G  vy  :  Ag.P,  F2,  X'  G  P',  F3,  Z  G  [Pi/y](P)  He  P2  G  G 
Fi,  X  G  vy  :  Ag-P,  F2,X'  G  P',  F3  I-e  (let  (app  X  Pi)  be  Z  in  P2 


by  assumption 
by  hyp. 
by  assumption 
by  hyp. 

G  G  Apply  LV 


by  assumption 
by  hyp. 
by  assumption 
by  hyp. 

G  G  Apply  LV 


by  assumption 
by  hyp. 
by  assumption 
by  hyp. 
Apply  L 


by  assumption 
by  hyp. 
by  assumption 
by  hyp. 
Apply  L 


by  assumption 
by  hyp. 
by  assumption 
by  hyp. 
G  Apply  LV 


Fi,F2,XgVF:Ag.AF3HePiGAg  _ 

Fi,X'G£>',F2,XGVy:AG.£>,F3HEPiGAG 


by  assumption 
by  hyp. 
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ri,r2,X  €  Vy  :  Aa-D,T3,Z  e  {Pi/Y][D)  \-^  P2  £G  by  assumption 

=»  Ti,X' eD\T2,XeW  :AG.D,V^,Ze[Pi/Y\{D)^^P2eG  by  hyp. 

=J>  Ti,X' £  D',T2,X  eW  :  Aq.D, Tsl-'s  {let  {a.’pj)  X  Pi)h9  Z  in  P2)  £  G  Apply  LV 


Case;  L3 

FijX  6  3y  ;  Ab-D,V2,Tz,Xi  £  Ad,X2  £  [Ai/y](D)  P  £G  by  assumption 

=»  Ti,  A  e  3y  :  Ad.D,  T2,  X'  £  D\  T3,  Xi  G  A^,  Aj  €  [Ai/y](r»)  hs  F  €  G  by  hyp. 
=>  Fi,  A  G  3y  :  Ad-D,  F2,  A'  G  F',  F3  Fj  (case  A  of  (inx  Ai  A2)  ^  P)  £  G  Apply  L3 


Fi,F2,  A  G  3y  :  Ac.DjFa,  Ai  G  Ao,  A2  G  \X\/Y\{D)  F  G  G  by  assumption 

Fi,  A'  G  D',  F2,  A  G  3y  :  Ad-D,  F3,  Ai  G  A^,  A2  G  [Ai/y](F)  hs  F  G  G  by  hyp. 
^  Fi,  A'  G  F',  F2,  A  G  3y  :  Ad.D,  F3  hs  (case  A  of  (inx  Ai  A2)  F)  G  G  Apply  L3 


Case:  LII 


Fi,  A  £  Ux  :  Aq.As),  F2,  F3  hs  M  G  Aq  by  assumption 

Fj,  A  G  Ha;  :  Ag.As),  F2,  A' G  F',  F3  hs  M  G  Ag  by  hyp. 

Fi,  A  G  Ha;  :  AG.A£),F2,F3,y  £  {M/a;}type(AjD)  hs  F  G  G  by  assumption 

Fi,  A  G  na;  :  Ag.A£),F2,  A' G  F',F3,y  G  {M/a;}type(A£))  hs  F  G  G  by  hyp. 

=;>  Fi,AGna::AG.AG,F2,A'GF',F3hs[(AM)/y](F)GG  Apply  LH 

Fi,F2,  A  G  Ha;  :  Ag.Ad,Vz  hs  M  G  Aq  by  assumption 

Fi,  A' G  F',F2,  A  G  Ha;  :  Ag.A£),F3  hs  M  G  Ag  by  hyp. 

Fi,F2,  A  G  Ha;  :  AG.AG,F3,y  G  {M/a:}type(Aj))  hs  F  G  G  by  assumption 

Fi,  A' G  F',F2,  A  G  IIx  :  AG.A£»,F3,y  G  {M/a;}type(A£))  hs  F  G  G  by  hyp. 

^  Fi,  A'  G  F',  F2,  A  G  Ilx  :  Aq-Ad,  F3  hs  [(A  M)/y](F)  G  G  Apply  LH 


Case:  LIIV  analog 
Case:  LIIE 


Fi,F2  hs  M  G  Ag  by  assumption 

=h  Fi,  X'  £  D',  F2  hs  M  G  Ag  by  hyp. 

Fi,  F2,y  G  {M/a;}type(A£))  hs  F'  G  G  by  assumption 

Fi,  A'  G  F',  F2,y  G  {M/a;}type(Ajr))  hs  F'  G  G  by  hyp. 

Fi,  A'  G  D', F2  hs  [(c  M)/Y]{P>)  £  G  Apply  LHS 
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Case:  LOSV 
Case:  case 


TuT2hPeAG  _ 

=>  TuX'  eD',T2\-  PeAo 

Fi  h  D'  formula 

AW,©(®)(ri)  h  0W(D')  formula  by  lemma  3.32  (3.8, 3.9), 

For  alH  <  TC 

AW,  0W(ri,  Fz)  hs  PW  G  0W(G) 

aW, 0W(Fi),x'  €  e^'>{D'),e^\T2)  i-s  p^''>  e  0(*)(G) 

AO)  ,  0(0  (Fi ,  X'  €  D',  Fz)  Fs  P^^  G  (G) 


Fi,X'eF>',Fzl-E 


case  P  of 

Cl  ^ 

I  «  yi"^)  yi'^)  ^ 
I  ^71  J 1  •^m-n  ^ 


M(F(-)) 


GG 


by  assumption 
by  hyp. 
by  assumption 
and  lemma  4.15 

by  assumption 
by  hyp. 
by  def.  subst. 

Apply  case 


□ 

Lemma  4.17  (Contraction:)  Let  D,D'  be  data  formulae,  K  a  kind,  Ap  an  atomic  type,  Aq 
a  goal  type,  Ap  a  data  type,  M  an  object  and  P  a  program.  Then  the  following  holds:  For  all 
meta  contexts  Fi,Fz,F3,  and  for  all  object  context  A;  Let  F  =  Fi,C/  €  jD',  Fz,y  G  D' ,Vz,  dtid 
F'  =  Fi,  t/  G  D\  Fz,  [t//y](F3)  and  let  A'  =  [U/V]{A)  and  o  =  [U/V].  Then  we  have: 

F;  A  Fe  X  kind  F';  A'  hs  [(r]{K)  kind 
F;Al-sAp:A  F';  A' Fe  [a](Ap)  :  [a](K) 

F;AFeAg:A  F';  A' hs  M(Ad)  :  [cr](A:) 

F;AhsAD:A  ^  F';  A' hs  M(Ag)  :  [a](A:) 

F;AhsM:Ap  =J>  F';  A' hs  M(M)  :  [a](Ap) 

F;AhEM:AD  F';  A' hs  ^(M)  :  [cr](Ap) 

FiAhsMtAc  F';A'hsM(M):[a](AG) 

F  hs  -D  data  F'  hs  [<j\{D)  data 
FhsFGG  F'hs  M(F)  e,M(G) 
hs  F  ctx  ^  hs  F^  ctx 

Proof:  by  mutual  induction  on  the  participating  derivations:  Note,  FJ,  always  refer  to  the 
derivations  we  obtain  by  applying  induction  hypothesis  to  the  derivation  of  the  premiss  of  the 
rules. 


Cases  for  F;  A  hs  K  kind:  same  as  in  proof  for  lemma  4.15. 
Cases  for  F;  A  hs  Ap  :  Kz  same  as  in  proof  for  lemma  4.15. 
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Cases  for  F;  A  hs  Aq  '•  K:  same  as  in  proof  for  lemma  4.15. 
Cases  for  F;  A  hs  Ad  :  K:  same  as  in  proof  for  lemma  4.15. 
Cases  for  F;  A  hs  M  :  Ap:  same  as  in  proof  for  lemma  4.15. 
Cases  for  F;  A  hs  M  :  Aq:  same  as  in  proof  for  lemma  4.15. 
Cases  for  F;  A  hs  M  :  Api  same  as  in  proof  for  lemma  4.15. 
Cases  for  F  l-£  D  data:  same  as  in  proof  for  lemma  4.15. 
Cases  for  hs  F  ctx:  same  as  in  proof  for  lemma  4.15. 

Cases  for  F  hs  P  €  G: 

Case:  id 

l-E  Fi,  X  €  G,  F2,  U  e  D',  Fa,  V  G  D',  F4  ctx 
|-EFi,XGG,F2,PGF>',F3,[c7](F4)ctx 

Fi,  X  G  G,  F2,  [/  G  D>,  Fa,  a(F4)  Hs  ^  £  M(G) 
=  Fi,XGG,F2,[/GP',Fa,a(F4)l-EXGG 


hE  Fi,  C7  G  D\  F2,  X  G  G,  Fa,  y  G  D',  F4  ctx 
^  |-EFi,C/GP',F2,DGG,F3,[o-](F4)ctx 

Fi,  [/  G  P',  F2,  X  G  G,  Fa,  cr(F4)  I-e  X  G  [a]{C) 
=  Fi,C/GZ)',F2,XGG,F3,a(F4)l-E^GG 


I-E  Fi,  C/ G  r>',  F2,  F  G  P',  Fa,  X  G  G,  F4  ctx 

He  Fi,  f/  G  D',  F2,  M(F3),  X  G  [a]{C),  [a](F4)  ctx 

=  Fi,  [/  G  D',  F2,  M(F3),  X  G  M(G),  M(F4)  He  X  G  [<7]{C) 


Case:  Rl,  const:  trivial 
Case:  RA 

Fi,C/GF)',F2,yGD',F3  He  Pi  €  Gi 

Fi,f/GD',F2,H(F3)HEM(Pi)GM(Gi) 

Fi,  f/ G  P',  F2, y  G  P',  Fa  He  P2  e  G2 

Fi,PGP',F2,M(F3)HE[a](P2)GM(G2) 

^  Fi,  P  G  P',  F2,  H(F3)  He  M(pair  Pi  P2)  G  [a](Gi  A  G2) 


Case:  RVi 

Fi,  P  G  P',F2,y  G  P',F3  He  P  G  Gi 
^  Fi,  P  G  P',  F2,  [aKFa)  He  [<t](P)  G  [a](Gi) 

^  Fi,P  G  P',F2,  M(F3)  He  M(inl  P)  G  H(Gi  VG2) 


Assumption 
by  hyp. 
Apply  id 
trivial 

Assumption 
by  hyp. 
Apply  id 
trivial 

Assumption 

Ih 

Apply  id 


by  assumption 
by  hyp. 
by  assumption 
by  hyp. 
Apply  Ra 


by  assumption 
by  hyp. 
Apply  RVi 
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Case;  RV2 


Fi,  i[7  e  £)',  r2,  V  €  D',  Fa  He  P  6  G2  by  assumption 

Fi,C/eD',F2,[cT](F3)hE,[<7](P)€,M(G2)  by  hyp. 

Fi,  f/  G  £>',  F2,  ^(Fa)  He  ,  [o-](inl  P)  G,  M(G'i  V  G2)  Apply  RV2 

Case;  R 

Fi,  P  G  D',  F2,  V  G  D\  Fa,  A  G  P  He  P  €  G  by  assumption 

^  Fi,  P  G  D',  F2,  [crKFa),  A  G  P  He  [cr](P)  G  M(G)  by  hyp. 

=;>  Fi,PGP',F2,M(Fa)HEM(funA.P)G[cr](P-^G)  Apply  R 

Case;  RV 

Fi,  P  G  P',  F2,  y  G  P',  Fa,  y  G  AE  He  [y/A]P  G  [y/A](G)  by  assumption 


Fi,PGP',F2,M(Fa),ye[a](AD)HEM([y/A](P))G[a]([y/A](G))  by  hyp. 
Fi,  P  G  D\  F2,  M(F3),  y  G  H(Ad)  He  [y/A]([cr](P))  G  [y/A](H(G))  trivial 
Fi,  P  G  P',  F2,  [a](F3)  He  H(fun  A.P)  G  H(VA  :  Ap.G)  Apply  RV,  by  def.  subst 


Case;  R3 


Fi,  P  G  P',  F2,  y  G  P',  Fa  He  P'  £  Aq  by  assumption 

^  Fi,  P  G  P',  F2,  M(F3)  He  H(P')  g  WAg)  by  hyp. 

Fi,Pg  P',  F2,y  G  P^F3  He  P  G  [PVA](G)  by  assumption 

Fi,  P  G  P',  F2,  [aKFa)  He  M(P)  G  [a]([P7A](G))  by  hyp. 

=  Fi,  P  G  P',  F2,  [a](F3)  He  M(P)  G  [M(P')/A](H(G))  trivial 

Fi,  P  G  P',  F2,  [<7](F3)  He  [<T](inx  P'  P)  G  [o-](3A  :  Aq.G)  Apply  R3 

Case;  rec 

Fi,  P  G  P',  F2,  V  G  D\  Fa,  A  G  G  He  P  G  G  by  assumption 

^  Fi,P  G  P',F2,  M(F3),  a  G  [a](G)  He  [cr](P)  G  [<t]{C)  by  hyp. 

Fi,P  G  P^F2,  ^(Fa)  He  [(T](rec  A.P)  G  [o'KG)  Apply  rec,  by  def.  subst. 

Case;  LA 

Fi,  A  G  Pi  A  P2,F2,P  G  P',  Fa,  y  G  P',  F4,  Ai  G  Pi,  A2  G  P2  He  P  G  G  by  assumption 
^  Fi,  A  G  Pi  A  P2,F2,P  G  P',F3,  M(F4),  Ai  G  [c7](Pi),  A2  G  M(P2) 

He  [a](P)  G  [a](G)  .  by  hyp. 

Fi,  A  G  Pi  A  P2,F2,P  G  P',F3,  M(F4),  Ai  G  Pi,  A2  G  P2 
He  M(P)  £  M(G)  trivial 

Fi,AgPiAP2,F2,PgP',F3,M(F4) 

He  [(7](case  a  of  (pair  Ai  A2)  P)  G  ^(G)  Apply  LA 
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FijC/  e  D'^T^iX  €  Di  AD2,T3,V  G  D',T4,Xi  €  Di,X2  €  D2  Is  P  €  G  hy  assumption 
^  FuUe  D',  r2,  XeDiA  D2,  Fa,  H(F4),  G  Di,  X2  G  D2 

Hs  [o-](F)  e  M(G)  by  hyp. 

^  Fi,C/GD',F2,X€DiAD2,F3,[a](F4) 

\s  [CT](caseX  of  (pair  Jfi  X2)  F)  €  ^(G)  Apply  LA 


Fi,  F  G  D',  F2,y  G  D',  FsjX  G  Di  A  D2,  F4,Xi  G  Di,X2  G  D2  l“S  -P  G  G  by  assumption 
=>  Fi,F  G  D',F2,  M(F3,  a  G  Di  A  D2,F4),Xi  G  M(Di),X2  G  ^(Da) 

l-E  H(P)  G  [ct](G)  by  hyp. 

Fi,  U  G  D',  F2,  M(F3),  X  G  M(Di)  a  ^(Da),  M(F4) 

hs  [(T](casGX  of  (pairXj  X2)  =>  F)  G  M(G)  Apply  LA 

^  Fx,  D  G  D', F2,  M(F3),  X  G  [c7](Di  A  D2),  [a](r4) 

|-£  [(T](casGX  of  (pairXi  X2)  =»  F)  G  ^(G)  trivial 


Case:  LV 

Fi,  X  G  Di  V  D2,  F2,  U  G  D',  F3,  V  G  D',  F4,  Xi  G  Di  hs  Fi  G  G  by  assumption 
Fi,X  G  Di  VD2,F2,F  €  D',F3,M(F4),Xi  G  M(Di)  hs  M(Fi)  G  M(G)  by  hyp, 

=  Fi,  X  G  Di  V  D2,  F2,  U  G  D',  Fa,  M(F4),  Xi  G  Di  hs  [a]{Pi)  G  [(r](G)  trivial 

Fi,X  G  Di  V  D2,F2,F  G  D',  F3,  y  G  D',  F4,X2  G  D2  hs  F2  G  G  by  assumption 
Fi,X  G  Di  VD2,F2,F  G  D',F3,[a](F4),X2  G  MCDa)  hs  M(F2)  G  M(G)  by  hyp 

=  Fi,  X  G  Di  V  D2,  F2,  U  G  D',  Fa,  M(r4),  X2  G  D2  He  M(F2)  G  H(G)  trivial 

^  Fi,XgDi  VD2,F2,DgD',F3,M(F4) 


Fi,  U  G  D',F2,X  G  Di  V  D2,F3,y  G  D',F4,  Xi  G  Di  hg  Fi  G  G  by  assumption 
Fi,  F  G  D',  F2,  X  G  Di  V  D2,  F3,  [a](F4),  Xi  G  Di  hs  [a](Fi)  G  [a](G)  by  hyp. 
Fi,  F  G  D',  F2,X  G  Di  V  D2,F3,  V  G  D',  F4,X2  G  D2  Fs  F2  G  G  by  assumption 
^  Fi,  F  G  D',  F2,  X  G  Di  V  D2,  F3,  M(F4),  X2  G  D2  Fe  M(F2)  G  [a](G)  by  hyp. 
Fi,FgD',F2,XgDiVD2,F3,M(F4) 


Fi,  F  G  D',F2,  F  G  D',  F3,X  G  Di  V  D2,F4,Xi  G  Di  Fe  Pi  G  G  by  assumption 
Fi,F  G  D',F2,[a](F3,X  G  Di  VD2,F4),Xi  G  [a](Di)  Fs  [cr](Fi)  G  M(G)  by  hyp, 
=  Fi,  F  G  D',  F2,  M(F3),  X  G  [a](Di  V  D2),  [a](F4),Xi  G  M(Di) 

Ps  H(A)  e  M(G)  trivial 

Fi,  F  G  D',  F2,  V  G  D',  Fa,  X  G  Di  V  D2,  F4, X2  G  D2  Fs  F2  G  G  by  assumption 
^  Fi,  F  G  D', F2,  [a](F3,  X  G  Di  V  D2,  F4), X2  G  [a](D2)  Fs  M(F2)  G  [a](G)  by  hyp, 
=  Fi,F  G  D',F2,  M(F3),X  G  [cr](Di  V  D2),  M(F4),X2  G  H(D2) 
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f-E  M(^2)  e  [(t](G) 

Ti,  u  e  p', T2,  M(r3), X  g  [a]{Di)  v  ^(£>2),  M(r4) 

case  X  of  (ini  Xi)  Pi 
I  (inr  X2)  P2 

Ti,  t;  €  b',  T2,  M(r3),  X  e  M(Di  v  4),  [a]ir4) 
case  X  of  (ini  Xi)  =»  Pi 
I  (inr  X2)  =5^  P2 


l-E  [cr] 


l-E  [ct] 


€  [a](G) 


trivial 


Apply  LV 


trivial 


Cases:  other  left  rules  follow  the  same  pattern. 

Case:  case:  F  =  Fi,  P  G  D',  F2,  F  G  D',  F3  Note  that  the  declaration  X  G  Aq  must  be  in 
Fi,  F2  or  F3. 


[P/X](Fi,P  G  D\T2,V  G  P^F3)  ctx  by  assumption 

^  [P/X](Fi),  U  G  [P/X](P0,  [P/X](F2),  F  G  [P/X](P0,  [/"/X](F3))  ctx  by  def.  subst. 
^  [p/x](r;),t/€m](D0.[PAl(ri),H(mj(r3)))ctx  by  hyp. 

Fi,  P  G  D',  F2,  V  G  D',  F3  hs  P  G  Aq  by  assumption 

Fi,P  G  P',F2,  M(F3)  bs  M(P)  G  [ct](Ag)  by  hyp. 

=  [(t](Fi,  P  G  D',  F2,  F3)  l-E  M(P)  G  ^(Ag)  by  def.  subst. 


Therefore  [o-](Ag)  =  [aoTi\{AG'),  M(F)  =  [(7  0  77](F'),  [cr](G')  =  [o'o?/](G').  Define 
T)'  =  a  OT].  Therefore  all  derivations  for 

A(O,0(O(f')  hs  P^^  e 


are  still  premisses.  The  application  of  the  rule  yields: 


[H(P)/X]([a](Fi,PGD',F2,F3)) 

/  case  [cr](P)  of 

,  ciy/^)...yff  =^[cTo??](pW) 


\ 

e  M{P)/X]{[a]{G)) 


VI  C„l£)...^=^[cr0  7/](PW)  / 


which  is  equivalent  to 


H([P/X](Fi,PgDT2,F3)) 

fcase  P  of  \ 

ciyW...^^M(p(i)) 


VI  cy,y4...yir„UM(pW)  ) 


G  [c7]([P/X](G)) 


□ 
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Lemma  4.19  (Substitution  Lemma:)  Let  D  be  data  formulae,  K  a  kind,  Ap  an  atomic 
type,  Aa  goal  type,  Ap,  A  data  types,  M  object  and  P  a  program.  For  c  :  A  6  S  the  following 

holds:  For  all  meta  contexts  ri,r2,  and  for  all  object  context  A:  Let  F  =  Ti,Z  €  A,  r2,  and 

F'  =  Fi,  [c/Z](F2)  and  let  A'  =  \c/Z\[A)  and  a  —  \c/Z\.  Then  we  have: 

F;  A  hs  /F  kind  ^  F^;  A'  hg  [(7](iF)  kind 
F;AhsAp:/F  F';  A' hs  H(Ap)  :  [a](K) 

F;AhEAG:/F  F';  A' hg  [(7](Ag)  :  M(iF) 

r-,A\-s  Ad  :K  F';  A' M(Ad)  :  [a](iF) 

F;AhsM:Ap  F';  A' hs  [a](M)  :  [cr](Ap) 

F;  A  hs  M  :  Aq  F';  A'  hs  [(f\{M)  :  ^(Ag) 

F;  A  hs  M  :  Ap  F';  A'  hs  [o'](M)  :  [ct](A£») 

F  l-E  data  =»  F'  hs  M(I1)  data 
Vh^PeG  r'l-E[a](P)e[a](G) 

hs  F  ctx  ^  hs  F^  ctx 

Proof: 

Cases  for  F;  A  7F  kind:  same  as  in  proof  for  lemma  4A5. 

Cases  for  F;  A  hs  Ap  :  A':  same  as  in  proof  for  lemma  4A5. 

Cases  for  F;  A  hs  Ag  :  K:  same  as  in  proof  for  lemma  4A5. 

Cases  for  F;  A  hs  Ap  :  K:  same  as  in  proof  for  lemma  4A5. 

Cases  for  F;  A  hs  M  :  Ap:  same  as  in  proof  for  lemma  4A5. 

Cases  for  F;  A  M  :  Ag:  same  as  in  proof  for  lemma  4A5. 

Cases  for  T;  A\-£  M  :  Ap:  same  as  in  proof  for  lemma  4A5. 

Cases  for  F  hs  D  data:  same  as  in  proof  for  lemma  4.15. 

Cases  for  (-£  F  ctx:  same  as  in  proof  for  lemma  4.15. 

Cases  for  F  hs  F  6  G: 

Case:  All  axioms  and  right  rules  are  straightforward 
Case:  LA 

Ti,  Z  £  A,T2,X  £  Di  A  D2,Ts,Xi  &  Di,X2  ^  D2\~'£  P  E  G  Ass. 

Fi, (t(F2),  A  £  cr{Di  A  D2)) ^^(Fs))  £  a{Di),X2  G  o’[D2) 

l-E  (7{P)  £  cr{G)  I.H. 

=  Fi,c7(F2),X  £  (r{D^)Aa{D2),a{T^),Xl  £  (t{Di),X2  £  <t(G2) 

l-s  a(P)  £  a(G) 


Def.  subst 
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=»  Ti,(T{T2),X£cT{Di)Aa{D2),a{rz) 

|-£  (case  X  of  (pair  Xi  X2)  (t{P))  €  cr{G) 

=  Ti,(T{T2),Xea{DiAD2),<7{T3) 

!-£  (7(case  X  of  (pair  Xi  X2)  ^  P)  G  (^{G) 

Fi ,  X  €  Di  A  i?2)  F2,  ^  €  A,  Fs,  Xi  G  Di,  X2  G  D2  l~£  P  E  G 

TuX  e  DiAD2,r2,(T{T3),Xi  e  ct(A),^2  e  (t(F>2)  Hs  a{P)  G  (7(G) 
Fi,XgAAD2,F2,(t(F3),Xi  gI1i,X2GD2Hs(7(P)  Gcr(G) 

Fi,X  G  F>i  A  D2)F2,(t(F3) 

!-£  (case  X  of  (pair  Xi  X2)  ^  o-(-P))  €  (7(G) 

=  Fi,XGI1iAD2,F2,(7(F3) 

!-£  (7(case  X  of  (pair  Xi  ^^”2)  P)  E  cr{G) 


Case:  LV 


Ti,  X  G  A,  F2,^  G  Di  V  D2,  F3,  Xi  G  Di  hs  Pi  £  G 
^  Fi,(7(r2),X  G  (7(Di  V  D2),(7(F3),Xi  G  a{Di)  a{Pi)  G  (7(G) 

=  Fx,a(F2),X  G  (7(A)  V(7(L»2),^t(F3),Xi  G  cr{Di)  hs  ct{Pi)  G  a{G) 
Fi,  Z  G  A,  r2,  X  G  Di  V  D2,  F3,  X2  G  D2  I~e  P2  G  G 


Fi,(7(r2),X  G  (7(A  V  A),(t(F3),X2  G  <t{D2)  (7(^2)  €  a(G) 

Fi,(7(F2),X  G  (7(A)  V(7(A),tr(F3),X2  G  (r(A)  ^^(^2)  €  C7(G) 

Fi,(7(F2),XG  (7(A)  V  (7(A),  f^(F3) 
case  X  of  (ini  Xi)  ^  O’(-Pi) 

I  (inr  X2)  =>•  <7(^2) 

Fi,a('F2),XG(7(AVD2),(7(r3) 

case  X  of  (ini  Xi)  Pi  \ 

I  (inrX2)^P2  ] 


l“S 


l“E  (7 


G  C7(G) 


G(7(G) 


Fi,  X  G  Di  V  i?2j  F2,  ^  G  Fs,  Xi  G  -Di  I“e  Fi  G  G 

Fi,  JC  G  iDi  VD2,F2,a(F3),Xi  G  a{D^)  c7(Pi)  G  g{G) 

^  Fi,XGZ?iVD2,F2,a(F3),XiG  AhEa(Pi)  Ga(G) 

Fi,  X  G  Di  V  D2j  F2,  X  G  A,  F3,  X2  G  i)2  t“E  F2  G  G 


=>“  Fi,X  G  Di  V  Z?2i  F2,  cr(F3),  X2  G  (j{D2)  t“E  ^(^2)  G  o‘[G) 
=>  Fi,X  G  Di  V  Z)2>  F2,  cr(F3) ,  X2  G  D2  Fe  ^(^2)  G  ^(G) 

Fi,  X  G  F?i  V  D2,  F2,  cr(F3) 

\  I  (inr  X2)  =?►  a{P2)  j 

=  Fi,  X  G  Pi  V  P2,  F2,  (7(F3) 


Case:  L  ^ 

Fi,Zg  A,F2,XgGi^P,F3  He  Pi  e  a 
^  Fi,  (7(F2), X  G  a(A  ^  D),a{T3)  hs  (7(Pi)  G  (7(A) 

=  Fi,(7(r2),X  G  (7(Gi)  ^  (r(P),(7(F3)  hs  (t(Pi)  G  (7(A) 


Apply  La 
Def.  subst 

I.H. 

trivial 

Apply  LA 

Def.  subst 


Ass. 
I.H. 
Def.  subst 
Ass. 
I.H. 
Def.  subst 

Apply  LV 


Def.  Subst 


LH. 

trivial 

I.H. 

trivial 

Apply  LV 


Def.  subst 


Ass. 
I.H. 
Def.  subst 
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Ti ,  Z  €  A,  r2,  X  e  Gi  ^  L>,  Ta,  y  e  D  l-E  P2  G  G2 

^  rua{T2),Xea{Gi-^D),a(T3),Yea{D)\-j:a{P2)£a{G2)  I.H. 

=  ri,a(r2),XGa(Gi)^(T(P),a(r3),y€(T(D)l-scT(P2)e(r(G2)  Def.  subst 

^  ri,(7(r2),XG(7(Gi)-^a(p),(7(r3) 

|-E  (let  (app  X  <7(Pi))  be  Y  in  <t(P2))  €  (t{G2)  Apply  L  ->• 

=  ri,(7(r2),AGcT(Gi^D),(T(r3) 

hs  cr(let  (app  X  Pi)  be  Y  in  P2)  G  <y{G2)  Def.  subst 

Ti,  X  G  Gi  D, r2,  Z  G  A,  Fa  I~e  Pi  G  Gi  Ass. 

ri,XGG'i^D,r2,a(r3)t-sa(Pi)G  a(Gi)  I.H. 

=  ri,XGGi^D,r2,a(r3)l-s<T(Px)GGi  triv. 

ruXeGi^D,T2,ZeA,T3,Y£D\-j^P2eG2  Ass. 

^  ri,x  eGi^  D,r2,a{r3),Y  e(T{D)\-^(T{P2)ea{G2)  i.h. 

=  ri,XGGi^D,r2,a(r3),y  6DI-sc^(F2)€G2  triv. 

ri,XGGi^D,r2,(T(r3) 

hs  (let  (app  X  cr(Pi))  be  y  in  <t(P2))  G  G2  Apply  L  -> 

=  ri,XGGi^D,r2,<r(r3) 

|-E  (T(let  (app  X  Pi)  be  Y  in  P2)  G  G2  Def.  subst 

Case:  LV 

Fi,  Z  G  A,  F2,  X  G  Vy  :  Aq-D,  F3  He  Pi  G  Aq  Ass. 

=;>  Fi,(T(F2),AGa(Vy:AG.D),a(F3)hEa(Pi)  Gc7(A^)  I.H. 

=  Fi,^(F2),  A  G  vy  :  a{AG).a{D),a{T3)  He  a(Pi)  G  c{Ag)  triv. 

Fi,  Z  G  A,  F2,  A  G  vy  :  Ag-D,  F3,  Z'  G  [Pi/y](D)  He  P2  G  G  Ass. 

Fi,a(F2),A  G  cr(Vy  :  Ag-D),  ^(Fa),  Z'  G  a([Pi/y](D))  Fe  ^(Pi)  G  a(G)  I.H. 
=  Fi,(7(F2),AG  Vy  :a(AG).c7(D),a(F3),Z'G[a(Pi)/y](a(D)) 

l“S  <^(^2)  €  o’(G)  triv. 

Fi,a(F2),AGVy  :a(AG).a(D),a(F3) 

He  (let  (app  A  cr(Pi))  be  Z'  in  cr(P2))  G  cr{G)  Apply  LV 

^  Fi,t7(F2),AGa(Vy:  Ag.D),(7(F3) 

|-E  <T(let  (app  A  Pi)  be  Z'  in  P2)  G  cr{G)  Def.  subst 

Fi,  A  G  vy  :  Ag.D,  F2,  Z  G  A,  F3  He  Pi  G  A^  Ass. 

Fi,  A  G  vy  :  Ag.D,  F2,  ^■(Fa)  I-e  <^(Pi)  G  ctAg  I.H. 

=  Fi,AGVy  :AG.D,F2,a(F3)hEa(Pi)GA^  triv. 

Fi,  A  G  vy  :  Ag.D,  F2,  Z  G  A,  F3,  Z'  G  [Pi/y](D)  He  P2  G  G  Ass. 

^  Fi,AGVy  :AG.D,F2,a(F3),Z'G(7([Pi/y](D))l-Ecr(P2)Ga(G)  I.H. 

=  Fi,  A  G  vy  :  AG.D,F2,<r(F3),Z'  G  [<7(Pi)/y](cT(D))  Ke 

<’■(-^2)  G  <^{G)  Def.  subst. 

=  Fi,  A  G  vy  :  AG.D,F2,a(F3),Z'  G  [c7(Pi)/y](D) 

I-E  (t{P2)  G  cr{G)  triv. 

Fi.AGVy  :AG.D,F2,a(F3) 

He  (let  (app  A  <7(Pi))  be  Z'  in  <t(P2))  G  (t{G)  Apply  LV 
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=  VuX  eW  :AG.D,T2,a{rs) 

1-2  (7(let  (app  X  Pi)  be  Z'  in  P2)  G  cr[G)  Def.  subst 

Case:  L3 

ri,Z  e  A,  T2,X  e  BY  :  Ad.D,  Ts,  e  AB",  X2  €]Xi/y](D)  l-s  P  e  G  Ass. 

ri,a(r2),A  G  (7(37  :  AD.D),a{r3),Xi  G  (tAd,X2  G  a([Xi/Y]{D)) 
l-E  a{P)  G  (7(G)  I.H. 

=  ri,(7(r2),A  G  BY  :a{AD).(T{D),cr{T3),Xi  G  (t{Ad),X2  G  [a[Xi)/Y]{a{D)) 

hs  (t{P)  G  <7(G)  Def.  subst. 

=  rx,(7(r2),  A  G  37  :  (T{AD).a{D),aiT3),Xi  G  A2  G  [Ai/7]((7(D)) 

hs  <7(P)  G  (7(G)  triv. 

ri,(7(r2),AG37:(7(AD).(7(D),(7(r3) 

1-2  (case  X  of  (inx  Ai  A2)  (t{P))  G  (7(G)  Apply  L3 

=  Ti, (7(r2),  A  G  37  :  cT{AD).a{D),a{T3) 

1-2  (7(case  A  of  (inx  Ai  A2)  P)  G  (7(G)  Def.  Subst 

Ti,  A  G  37  :  Ad-D,  T2,  Z  e  A,  Fg,  Ai  G  A^A2  G  [Ai/7](D)  I-2  P  G  G  Ass. 

Ti,  A  G  37  :  AD.D,r2,(7(r3),  Ai  G  (7Ac,  A2  G  a{[Xi/Y]{D)) 

1-2  (7(P)  G  (7(G)  I.H. 

=  Ti,  A  G  37  :  Azj.D,  r2,  (7(r3),  Ai  G  (7(Ac),  A2  G  [(7(Ai)/7]((r(D)) 

1-2  (7(P)  G  (7(G)  Def.  subst. 

=  Ti,  A  G  37  :  Az?. A r2,(7(r3),Ai  G  A^,  A2  G  [Ai/7](D) 

|-2  (7(P)  G  (7(G)  triv. 

^  ri,X  eBY  :  Ad.D, T2,a{T3) 

1-2  (case  A  of  (inx  Ai  A2)  ^  (7(P))  G  (7(G)  Apply  L3 

=  ri,AG37:Ap.Ar2,(7(r3) 

f-2  (7(case  A  of  (inx  Ai  A2)  P)  G  (7(G)  Def.  subst 

Case:  LH 

Fi,  A  G  A,  F2,  L  G  Ha;  :  Aq.Ad,  F3  I-2  M  G  Aq  Ass. 

Fi,  (7(F2),  A  G  aUx  :  Ag-Aj),  (7(F3)  I-2  (rM_^Aq _  I.H. 

=  Fi,(7(F2),  A  €  <7(na; :  Ag. A£)),(7(F3)  1-2  (7(M)  G  (7(Ag)  Def;  subst. 

Fi,  A  G  A,  F2,  A  G  Ha;  :  Ag-A/j,  F3,  E  G  ((Fla;  :  Ag-Ad)  M)  I-2  P'  £  G  Ass. 

^  Fi,  (7(F2),  A  G  (Ha;  :  (7(Ag).(7(Ag)),  E  G  ((Hx  :  (7(Ag).(7(Ao))  (7(M)) 

1-2  (7(P0  S  (7(G)  I.H.,Def.  subst 

=»  Fi,  (7(F2),  A  G  (7(na;  :  Ag-Ag),  a{T3)[{La{M))/E]{cr{P'))  G  (7(G)  Apply  LH 
=  Fi,(7(F2),Ae(7(na:;AG.AD),(7(F3)(7([(AM)/P](P'))G(7(G)  Def  subst. 


alternative  analog. 
Case:  LHV  analog 
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Fi,  L  G  IIx  :  Ag-Ad,  r2, 2"  6  A,  Fs  hg  M  G  Aq  Ass. 

Fi,  L  G  Hx  ;  Aq.Ax),  F2,  ^•(Fs)  He  <t(M)  G  Ag  LH.,  Def.  subst,  triv. 

Fi,  F  G  nFTA^:AF,  F2,  Z  G  A,  F3,  e  ti^x  :  AgAp)  M)\-^P'  &G  Ass. 

=¥  Fi,L  G  Fix  ;  AG.Ajr),F2,cr(F3),£^  G  ((Fix  :  Ag.Ao)  cr(M)) 

Fe  (^{P')  G  (^{G)  I.H.,  Def.  subst,  triv. 

Fi,  L  g_IIxjj4g.A£),  F2,  (t(F3) 

Fe  a{[[LM)/E\{P'))  G  cf{G)  Apply  LII,  Def.  subst. 


Case:  LITE 

Fi,  Z  G  A, F2  Fe  M  G  Ag  Ass. 

=>  Fi,o'(F2)  Fe  (j{M)  G  Ag  FH.,  Def.  subst.,  triv. 

Fi ,  Z  G  A,  F2,  E  g  ((Ex  :  Ag- Ag)  M)  H  F  e  G  Ass. 

Fi,  (t(F2),  E  G  ((Ex  :  Ag-Ad)  o'(M))  He  <^{P')  G  <^{G)  I.H.,  Def.  subst.,  triv. 

Fi,  <t(F2)  Fe  [{La{M))/E]{a{P'))  G  a{G)  Apply  LEE,  Def.  subst. 

=  Fi,a(F2)  Fe  a{[{LM)/E]{P'))  G  (t{G) 


Case:  LEEV  analog 

Case:  case  Note,  that  X  £  B  occurs  in  Fi  or  F2:  X  £  B  occurs  left  of  Z  G  A: 


Fe  [P/A'](Fi),  Z  G  a,  [F/A’](F2)  ctx  by  assumption 

Fe  Fi,  [P/A](F'),  a([P/A](F2))  ctx  by  hyp. 

Fi,  Z  G  A, F2  Fe  P  G  P  by  assumption 

Fi,(t(F2)  Fe  o-(P)  G  cr{B)  by  hyp. 

=  (t(Fi,  F2)  Fe  o‘(P)  G  <7(P)  by  def.  subst. 


Therefore  [(t](P)  =  [<70  ri\{B'),  [(t](F)  =  [(t  o  77] (F'),  [(7](G)  =  [a  o  ri]{G'). 
Define  r]'  =  a  or/.  Therefore  all  derivations  for 

AW,0F)(r')  l-E  P^^  G  0W(G') 

are  still  premisses.  The  application  of  the  rule  yields: 


[M(P)/X](M(Fi,F2))  _ 

/  case  [(t](P)  of  ci  [a  o  ??](P^^^)  \ 


Fe 


Vi 


,  CnX^...^^[(Torj]{p(-))  ) 


e  [W]{P)/X]{[cr]{G)) 


which  is  equivalent  to 

[a]([P/X](Fi,F2)) 


Fe  [a] 


(  case  P  of  Cl  ApL.^=^[7/](pW)  \ 


G  [a]i[P/X]{G)) 


142 


APPENDIX  a  LOCAL  REDUCTIONS 


□ 

Theorem  4.21  (Local  reductions  in  MLF:)  IfViiTihK  £  C  and  £  ::  ri,Z  £  C,r2  h 
P  £  G  then  there  is  a  derivation  T ,  s.t.  T  ::  Fi,  [<j](r2)  h  G  [o'KG)  with  a  = 

Proof: 

Case:  Meta  variables:  If  K  is  a  meta  variable,  the  four  cases  may  occur: 

Case:  Let  V  be  an  id  instantiation 

2>  = - id 

ri,xec,r2i-sXGG' 

and  £  a  derivation  for 

£ 

ri,xec,r2,y  ec.Tsi-E  PeG 


T 

=  Vi,x  £  C',r2,[x/y](r3)  i-s  [x/y]{p)  e  [x/y][G) 

But  this  derivation  can  be  accomplished  by  contraction  lemma  4.17. 
Case:  Let  I>  be  a  derivation  for 


V 

Li  hs  P  €  C 


and  be  a  derivation  for 


ri,X6C,r2  hsXec 


■  id 


T 

V^£=  ri,[F/x](r2)hsPeC' 

but  this  follows  directly  from  the  weakening  lemma  4.16. 

Case:  Let  V  be  an  const  instantiation,  c  :  A  a  signature  entry  in  S, 


V  =  - 


■  const 


and  £  a  derivation  for 


Ti  hs  c  €  j4 


ri,X€^r2  i-ePgg 


T 

V^£=  ri,[c/X](r2)  He  [cIX]{P)  £  [c/X]{G) 


but  by  the  substitution  lemma  4.19  we  can  derive  the  same  formula  from  £  without 
using  cut. 


143 


Case:  Let  T>  be  a  derivation  of 


V 


Ti  1-E  P  €  c 

and  £  an  const  instantiation,  c  :  A  a  signature  entry  in  S, 

£  = - const 

FijX  €  O,  r2  l-E  c  €  ^ 


T  _ 

v^£=  ri,[c/x](r2)hsce  A 

but  this  follows  directly  from  the  weakening  lemma  4.16. 


Case:  fun  -programs 

Case:  Universal  quantification:Let  I>  be  a  derivation  for 

_  2>i 

Ti.y  €  ylp  l-E  [YIX]Q  €  [y/X](C) 

V  = - RV 

Ti  l-E  (fuiiXQ)€VJ!f  :  Ap.C 

and 

£i  _  £2 

Ti, P  e  VX  :  l-s  P  e  Ti,F  e^X  :  Ap.C,T2,E  £  [P/X^C)  l-E  P'  G  G 

£  = - LV 

Ti ,  P  G  VX  :  ylp.G,  Tz  l-E  (let  (app  FP)h&E  in  P')  G  G 


F  ^  Free(A)  since  Free{Ap)  C  sup(ri)  and  F  ^  Fi  (C.l) 

F  i  Free(C)  since  for  Y  new,  Free{[Y / X]{C))  \  {Y}  C  sup(ri)  (C.2) 

Applying  the  cut  rule  to  the  derivations  T>  and  £  we  obtain 

T 

X)  (g)  f  =  Fi,  [(7](F2)  Fe  [a]  (let  (app  F  F)  be  F  in  P')  G  [c7](G') 
where  we  use  a  as  an  abbreviation  for  the  substitution  [(fun  X.Q) /F] 

V(^£i=  Fi,[a](F2)FEM(F)€[a]AF 
Because  of  (C.l)  this  is  equivalent  to 

Fi  _ 

V^£r=  Fi,  [or](F2)  l-E  M(F)  g  Ap 


X>(g)^2  = 


^2 

Fi,  [a](F2),  F  G  {a]{[PIX]{C))  hs  M(F0  G  M(G) 
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Since  in  Fi  \<y]{[P / X\{C))  =  [M(P)/y]([cr]([y/X](C)))  and  (C.2)  this  equation  sim¬ 
plifies  to 


V6d£o 


Fi,  [a]{T,),E  e  [[a]iP)/X]{C)  hs  M(P')  G  M(G) 


To  cut  Pi  with  Vi  we  have  to  weaken  X>i  first;  V[  =  [Fi  V[^](r2)]’Pi  which  exists  by 
lemma  4.16: 

_V[ 

Fi,  M(F2),y  €  Ap  hs  [Y/X]Q  G  [Y/X]{C) 


•^3 

Pi (g)p-i  =  Ti, m(F2)  i-s  [M(P)/y]([y/x](Q).)  g  [M(P)/y]([y/x](c)) 

which  simplifies  to 

!>;  0^1  =  r„  H(r2)  hs  [M(P)/X](Q)  e  [M(P)/x](C) 

J- 

^20^3=  ri,H(r2)  He  [(H(P)/X](0)/B](M(P))  €  l[H(P)/A:l(Q)/f^([al(G)) 
and  trivially: 

JF 

P2  0P3  =  [[H(P)A](0)/B](M(P'))  e  H(G) 

Case:  Implication 

Pi 

Fi.XeCi  He  Q€C72 

V  = - - - R^. 

Ti  He  (funX.Q)  €  Cl  ^  C2 

S2 

Ti.FeCi  ^C2,r2  He  P€Ci  Ti,  F  e  Ci  h- C2,r2,  F  G  C2  He  P' G  G 

£= - ^ ^ - L-^ 

Fi,  F  £Ci  -¥  C2,r2  He  (let  (app  F  E  in  P')  €  G 


X)  (g)£  =  Fi,  [a](F2)  l-s  [(T](let  (app  P  P)  be  P  in  P')  G  M(G) 
with  [o’]  =  [{i\m  X .Q) ! F\.  Apply  Cut  to  V  and  5i: 


p(g)^i  =  Fi,  [c7](F2)  h-s  H(P)  G  M(Ci) 


which  is  equivalent  to 


^x 

ri,M(F2)  i-eM(p)gCi 


Apply  Cut  to  V  and  Si : 


^2 

V0S2=  Ti,  M(r2),  J5  e  [a]iC2)  hE  M(P')  €  [c7](G) 

which  is  equivalent  to 

j: 

ri,M(r2),£;€C'2hEM(P0eM(G) 

Weaken  Vi  to  T>[  as  2?i[riVM(r2)]: 

v[ 

Ti,[a]{T2),XeCi^^Q£C2 

Apply  Cut  to  and  !)[: 

0  v'l  =  Ti,  Mcr^)  He  [[<r](P)/;f](i3)  e  l[cr](P)ix](Ci, 
which  is  equivalent  to 

^3 

Ti,  [a](r2)  t-E  [M(f)/x](Q)  e  C2 

Apply  Cut  to  Tz  and  T2'- 

^4 

Tz^T2  =  ri,[a](r2)  l-E  [[[a]{P)/X]{Q)/E]{[a]{P'))  e  [[M(P)/A](g)/E](H(G)) 

which  is  equivalent  to 

^4 

Ti,  M(r2)  I-E  m{P)lxm)IE\M(n)  €  W(e) 

Case:  inx-  programs 

Vi  _  V2 

Ti  hi;  p'  eAp  r,  hs  p  G  [P'ix]{c) 

- R3 

2>  =  Ti  hi;  (inx  P'  P)  €  3A  :  Ap.C 


ri,x  €3Y  :  Ap.C, r2,Xi  eAp,  X2  e[Xi/Yj(C)  hsQec 
£  =  ri,X  e3Y  :  Ap.C,  r2  hE  (case  X  of  (inxXi  X2)  =h  Q)  G  G 


P 

V(g)S=  Ti,  [(T](r2)  l-E  M(case  A  of  (inx  Xi  X2)  Q)  €  [a](G) 
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with  [cr]  =  [(inx  P'  P)/X]. 


=  ri,[(T](r2),Xi  e  M(A^),X2  G  [<j\{[X,/Y]{C))  hs  [a]{Q)  e  [a]{G) 
which  is  trivially  equivalent  to 


_ 

VlS)Si=  Tu  M(r2),Xi  €  {Ap),X2  G  [Xi/Y]{C)  l-E  [a](g)  G  [<t](G) 

As  above  we  have  to  weaken  Vi  and  2?2. 

Ti,  M(r2)  He  P'  G  (IF)  Ti,  [ct]{T2)  F  G  [P'/Y]{C) 

We  can  cut  V'l  and  Fi  to  obtain: 

Fi(g)Fi  =  ri,[a](r2),X2  G  [FVXi]([Xi/y](C'))  He  [F7Jri](M(Q))  e  [f'/XiKMCG)) 
Trivially  this  is  equivalent  to 


Ti,  [a](r2),X2  G  [P'/Y]{C)  He  [P'/X^]i[a]{Q))  G  M(G) 
Finally  the  application  of  cut  to  V2  and  T2  yields: 

t>'2<^T2=  ri,[c7](r2)  f-E  [f/X2]([f7XiKM(Q)))  g  [p/X2]{[ct]{G)) 

which  is  again  equivalent  to 

F3 


Ti,  H(r2)  l-£  [P|X^]([P|X,]{[a](Q)))  €  MiG) 


Case:  ini-  programs 


Fi 

25  —  Fi  l-E  P  €  Cl 


Fi  He  (ini  P)  €  Ci  V  C2 


■RVi 


£  = 


£1  £2 

Fi,X  e  Cl  VC2,F2,Xi  €  Cl  I-e  Pi  €  G  Fi,X  e  Ci  VC2,F2,^2  €  C2  hs  P2  €  G 

r..xec,vG,r,hs  (  isG 

\  I  (inr  A2)  =>  P2  y 

T 

JfO 


■Lv 
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where  [cr]  =  [(ini  P)/X].  Apply  Cut  to  V  and  £i: 

!Fi 

v(^£i  =  ri,M(r2),  €  M(Ci)  hs  H(Fi)  €  M(G) 

which  is  equivalent  to 

Ti,  [a](r2), Xi  €  Cl  hs  [cr](Pi)  e  [a]{G) 

Weaken  Vi  to  V[  with  Pi[ri  VM(r2)]: 

V[ 

ri,M(r2)i-EPeCi 

Apply  Cut  to  V[  and  Pi: 

*^2 

2>10J^i=  r.,M(r2)i-!:[p/x.)([cr](Fi))e[p/A-.](H(G)) 

which  is  equivalent  to 

^2 

=  Ti,  [a](r2)  hs  [P/Xi]([a](Pi))  €  H(C) 

Case:  inr-programs 

2>  ^  Ti  hs  P  €  (72 

- RV2 

Fi  1-2  (ini  P)  G  Cl  V  C2 

goes  analog  to  previous  case 

Case:  pair-programs 

Vi  V2 

Fi  1-2  Pi  G  Cl  Fi  h2  P2  G  C2 

= - ra 

Fi  1-2  (pair  Pi  P2)  G  Ci  A  C2 

and 

TiyX  G  (7i  A  C2yT2i  Xi  G  Cl,  7(2  G  C2  f"2  P  G  C 

£  = - ^ ^ - LA 

Fi,X  G  Cl  A  C2,F2  I-2  (  case  X  of  (pair  Xi  X2)  =>  P  )  €  G 


X  ^  Free(Ci)  U  Free(C2),  since  X  ^  sup{ri)  (C.3) 

(C.4) 

V0£  = 


P 

Fi,  M(r2)  hs  [a] (case  A  of  (pair  Ai  A2)  P)  G  [a]{G) 
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where  tr  is  a  shorthand  for  [(pair  Pi  P2)/X] 


P(g)^l  = 


•^1 

ri,[[a]](r2),Xi  G  M(Ci),X2  G  H(C2)  I-e  M(P)  G  [a](G) 


This  is  because  of  (C.3)  equivalent  to 


J’l 

V(^€,=  Ti,  M(r2),Xi  G  Ci,X2  G  ^2  hs  M(P)  G  [c7](G) 

We  have  to  weaken  Pi, 2^2?  to  perform  cut  elimination  with  Ti  —  apply  weakening 
lemma  4.16. 

V[ 

ri,H(r2)h2Pi  GCi 

P' 

Tl,  [C7](r2)  hs  P2  G  C2 


T»i0Pi  = 


^2 

ri,[a](r2),X2  G  [Pi/Xi](C2)  l-E  [Pi/Xi]([(t](P))  G  [Pi/Xi](H(G)) 


Trivially  this  is  equivalent  to 


T>'i(8)^i  = 


^2 

Fi,  [a](r2),X2  G  6-2  l-E  [P,/Xi]{[a]{P))  G  H(G) 


Finally  cut  elimination  gives  us 


ri,M(r2)  i-s  [P2/X2]([Pi/Xi](H(p)))  g  [P2A2](M(G)) 


which  is  equivalent  to 


P2(8)^2  = 


•P3 

ri,M(r2)  He  [P2/X2]([Pi/Xi](M(p)))  g  M(g) 


□ 
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